Good worm claims to fight Blaster
LONDON, England -- A new worm is taking an unusual turn by trying to repair computers infected by the Blaster worm and patch the weakness that it utilizes.
The so-called "good worm," known as "Nachi" or "Welchia," is entering computers worldwide through the same security hole that Blaster used in the Windows operating system.
This time the worm attempts to install Microsoft Windows updates to patch-up the security hole used by last week's deadly worm, as well as clean up if the computer is infected with Blaster.
Even though the latest worm may have good intentions, experts are questioning whether it is likely to spell more trouble for the world's computers.
"Spreading 'good worms' is a very bad idea," Jimmy Kuo, research fellow at anti-virus vendor Network Associates Inc. told Reuters.
"You would rather not have somebody rebooting your machine in the middle of what you are doing, regardless of their intentions," he added.
The Welchia worm is rated a threat level of "medium" by Network Associates.
The initial Blaster worm attack, also called LoveSan or MSBlaster infected hundreds of thousands of office and home computers around the globe, but only those that run on Windows XP, 2000, NT and Server 2003.
It has now led companies to look more closely at their security precautions, even though experts have been aware of the Windows security hole Blaster exploits since mid-July.
The new "good" worm checks for other vulnerable machines to spread to, slowing down networks and putting pressure on tech resources.
Welchia is already spreading in Asia and is only programmed to remove itself from people's systems by 2004.
There are also unconfirmed reports that it may try to attack computers through a different Windows vulnerability, experts told Reuters.
Stuart Okin, chief security strategist for Microsoft UK last week said that a patch for the initial Blaster attack can still be downloaded to stop the worm.
It was developed in time and many customers used it. Some had their anti-virus software updated automatically.
But many thousands of other customers did not know of the danger or how to stop it until it was too late.
"You do your best to get the communication out there and wave the flag," said Okin.
He said 40 million users had downloaded the patch over the last two weeks and urged others to do the same via the updates site -- the same one the hackers want to bring down.
The FBI is investigating the source of the worm, but the culprit is not known.
According to security firm TrendMicro, the worm's text includes the message: "I just want to say LOVE YOU SAN!! Billy Gates why do you make this possible? Stop making money and fix your software!!"