Nachi reborn! Worm tries to undo MyDoom damage, but no virus is a good virus. Sophos comments

Sophos Press Release

Sophos virus experts have warned computer users of a new variant of the Nachi worm (W32/Nachi-B) that attempts to remove infections of W32/MyDoom-A and W32/MyDoom-B, and download Microsoft security patches to unprotected computers.

Taking advantage of the same critical security hole in Microsoft Windows which was exploited by the Blaster worm, Nachi searches for unpatched computers. Once located, it infects the computer without asking the user's permission and hunts for traces of the MyDoom worms. If a MyDoom infection is found, the Nachi-B worm attempts to remove it and download patches to fix the Microsoft vulnerability.

"This worm's author may think he is a modern-day Robin Hood, but there is no such thing as a good virus," said Graham Cluley, senior technology consultant at Sophos. "Nachi-B infects innocent computers without permission, steals network bandwidth, CPU time and hard disk space, and makes changes to the computer's setup and data. A worm can easily get out of control and cause unexpected conflicts. It is vital that computer users patch the holes in Microsoft software and ensure their anti-virus is fully updated."

Curiously, the Nachi-B worm attempts to overwrite some files with an HTML file containing references to the dropping of atomic bombs on Japan in World War II:


1937.12.13 300,000 !

1945.8.6 Little boy
1945.8.9 Fatso


Let history tell future !

The original Nachi worm (W32/Nachi-A), seen in August 2003, attempted to remove infections from computers infected by W32/Blaster-A. It was subsequently blamed for causing considerable disruption to many businesses around the world.

The Microsoft security patch to protect against the vulnerability exploited by the Nachi and Blaster worms was released last year, and can be downloaded from

Home users of Microsoft Windows can visit to have their systems scanned for Microsoft security vulnerabilities.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at