Nachi worm cleans up after Blaster

By Alun Williams

Posted on 19 Aug 2003 at 16:13

An unusual twist to the long-running Microsoft RPC (Remote Procedure Call) vulnerability.

Following in the wake of the Blaster comes Nachi. Only this time, the 'good worm' the attempts to remove the Blaster infection and to patch vulnerable Microsoft systems to help prevent similar attacks.

Nachi takes advantage of the same security hole - for which a patch is available - to search for unpatched computers.

'The writer of the Nachi worm may want to be seen as the Dirty Harry of the internet world, cleaning up malicious Blaster code wherever it is found,' said Graham Cluley, senior technology consultant at Sophos. 'But no virus is a good virus. Infecting systems in order to disinfect and patch computers isn't a responsible way to deal with the problem as the worm could easily get out of control or cause unexpected conflicts. It is vital that computer users patch the holes in Microsoft software and ensure their anti-virus has the latest protection.'

But was Dirty Harry a family man, too? Contained inside the worm's code is the text 'I love my wife & baby :)'.

As we have previously reported, the bad news is that there could be more bad news on the way. The Nachi worm follows in the path of Blaster and Autorooter, and other exploits of the RPC vulnerability are likely.

'We believe that this version of "Autorooter" is only the experimental one,' commented Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Labs, when Autorooter appeared. 'A more viable version is likely to appear and cause serious damage to the Internet.'

Kaspersky Labs strongly recommends that all users download the relevant Microsoft patch and block TCP ports 135, 139 and 445 using their firewalls.