News 

Nachi.B removes both the a and b variants of MyDoom, but this is largely redundant considering that MyDoom's attack on the SCO site is due to end today. However, it does close off the backdoor that MyDoom opens - a security threat that is currently being exploited by the Doomjuice viruses.

As with Nachi.A it uses the same vulnerability exploited by the Blaster virus (the flaw in Microsoft's RPC handling) to do its work and downloads the patch that Microsoft issued for the flaw back in July.

However, there is no such thing as a saintly

ADVERTISEMENT

worm, according to Graham Cluley, senior technology consultant at Sophos. He told us: 'The original Nachi worm caused terrible problems last year. ATM machines crashed. One Canadian airline company couldn't book customers on to its flights after its booking system went down because of the worm.' And as with all worms, they use up computer resources and network bandwidth.

Nachi-B worm drops an html file onto infected computers. The file contains the following text:

'LET HISTORY TELL FUTURE !

1931.9.18
1937.7.7
1937.12.13 300,000 !

1941.12.7
1945.8.6 Little boy
1945.8.9 Fatso

1945.8.15
Let history tell future !'

The references to the nuclear attacks on Japan during WWII may reveal an Asian link between the two Nachi viruses.

'The original Nachi.A originally came from China,' Cluley said, 'But whether they are by the same author it's hard to say. We haven't seen any strong evidence.'

Cluley added that the worm may behave differently on computers in Japan than on European ones.

Sophos says it has not yet seen any copies of Nachi.B in the wild.