Nachi reborn! Worm tries to undo MyDoom damage, but no virus is a good virus. Sophos comments

February 12, 2004 Sophos Press Release

Sophos virus experts have warned computer users of a new variant of the Nachi worm (W32/Nachi-B) that attempts to remove infections of W32/MyDoom-A and W32/MyDoom-B, and download Microsoft security patches to unprotected computers.

Taking advantage of the same critical security hole in Microsoft Windows which was exploited by the Blaster worm, Nachi searches for unpatched computers. Once located, it infects the computer without asking the user's permission and hunts for traces of the MyDoom worms. If a MyDoom infection is found, the Nachi-B worm attempts to remove it and download patches to fix the Microsoft vulnerability.

"This worm's author may think he is a modern-day Robin Hood, but there is no such thing as a good virus," said Graham Cluley, senior technology consultant at Sophos. "Nachi-B infects innocent computers without permission, steals network bandwidth, CPU time and hard disk space, and makes changes to the computer's setup and data. A worm can easily get out of control and cause unexpected conflicts. It is vital that computer users patch the holes in Microsoft software and ensure their anti-virus is fully updated."

Curiously, the Nachi-B worm attempts to overwrite some files with an HTML file containing references to the dropping of atomic bombs on Japan in World War II:

LET HISTORY TELL FUTURE !

1931.9.18
1937.7.7
1937.12.13 300,000 !

1941.12.7
1945.8.6 Little boy
1945.8.9 Fatso

1945.8.15

Let history tell future !

The original Nachi worm (W32/Nachi-A), seen in August 2003, attempted to remove infections from computers infected by W32/Blaster-A. It was subsequently blamed for causing considerable disruption to many businesses around the world.

The Microsoft security patch to protect against the vulnerability exploited by the Nachi and Blaster worms was released last year, and can be downloaded from www.microsoft.com/technet/security/bulletin/MS03-026.asp.

Home users of Microsoft Windows can visit windowsupdate.microsoft.com to have their systems scanned for Microsoft security vulnerabilities.