Enter a 'good' worm to clean up after Blaster
20th August 2003 (Malay Mail)

A new computer worm was spreading worldwide through a security hole in Windows - also used by last week's Blaster worm - but then, patching the hole instead of crashing the system like Blaster does.

Reuters reported yesterday the new worm dubbed 'Welchia' or 'Nachi', was similar to Blaster, but it purported to patch the hole which Blaster exploited to enter into computers in the first place and tried to clean up after Blaster.

"Despite the apparently good intentions of the new worm, spreading "good" worms is a very bad idea," said Jimmy Kuo, research fellow at anti-virus vendor Network Associates Inc.

"You would rather not have somebody rebooting your machine in the middle of what you are doing, regardless of their intentions," he said.

Blaster, also dubbed MSBlaster LoveSan, has infected more than 570,000 Windows XP and Windows 2000 computers since it surfaced last week, according to an estimate from anti-virus vendor Symantec Corp.

The Windows vulnerability it exploits, which experts have known about since mid-July, affects computers running Windows XP, 2000, NT and Server 2003.

On English, Korean and Chinese versions of the Windows operating systems, Welchia downloads the patch to fix the computer.

"Welchia apparently does not do that on other versions of Windows, "said Joe Hartmann, director of North American anti-virus research at Tokyo-based Trend Micro.

"In some instances, Welchia tries to clean up after Blaster, if the computer has been infected. Then, Welchia spreads to other systems that have the vulnerability," said Kuo.

"Welchia, which is programmed to delete itself in 2004, is spreading widely in Asia, particularly in Japan," according to Hartmann.

The worm is creating more network traffic, and thus a slowdown, for many corporations as it checks for other vulnerable computers to infect - because it instructs numerous computers in a network to try to download the patch simultaneously, they said.