‘Good worm’ sets out to battle Blaster

19 Aug 2003

Hot on the heels of last week’s Blaster worm, a new worm has emerged whose mission, it seems, is to remove Blaster from users’ machines.

The new worm, known as Welchia or Nachi, spreads by exploiting two different windows security holes: the DCOM RPC one used by Blaster, and also the older WEBDAV/NTDLL.DLL discovered in March of this year that affects Microsoft’s IIS web server software.

After infecting a vulnerable system via one of these two security holes, the worm does the following: deletes the Blaster worm if it detects it on a user’s machine; downloads and installs the appropriate patch from Microsoft for the DCOM RPC security hole, and reboots the PC, preventing DCOM RPC worms such as Blaster from reinfecting the PC; scans for other systems to infect by sending out ICMP echoes (‘pings’), generating increased network traffic; checks the system date and if it finds it is 2004, disables and uninstalls itself.

Although ‘good worms’ like Welchia/Nachi could be seen as providing a welcome antidote to recent malevolent viruses, Irish computer security consultant Systemhouse cautioned users against seeing the worm as a positive development.

In a statement released this morning the company said: “Although the creator of this worm may have a misguided intention of unleashing a ‘good worm’ that removes MSBlaster from infected PCs and prevents future DCOM RPC attack by installing the security patch from Microsoft, it is worth remembering that this worm executes on infected PCs without the owners’ permission, creates network traffic as it spreads, reboots the PC after installing the DCOM RPC security patch, may crash PCs it attacks or infects, and could send some into the series of ‘constant reboots’ also seen with MSBlaster.”

According to Dermot Williams, managing director of Systemhouse, it is not the first time that a worm or virus has been released with the apparent intention of seeking out and destroying another but it should not be seen as the ‘white hats’ of the hacking community taking on the ‘black hats’.

“I don’t think that any responsible white hat would release a worm,” he said.

For Williams, the most worrying aspects of the Welchia/Nachi and Blaster worms is that users seem not to be heeding warnings from the security industry about security holes in Windows. “Even though warnings were issued about the biggest Windows security hole ever, a month later a million users’ machines were infected by Blaster. That’s scary,” he commented.

He added: “The extent of infection by Welchia/Nachi has not yet been established but the surprise is that it’s spreading at all. Computers wouldn’t be vulnerable if people installed the correct security patches.”

By Brian Skelly