Newest Blaster Variant Plugs Hole

Microsoft Windows users infected last week by the W32.Blaster worm might appreciate the attention of a new version of that worm that cleans corrupted systems, then installs a software patch to prevent future infections.

The worm, variously referred to as Worm_MSBLAST.D and Nachi, appeared Monday and spreads by exploiting the same Windows security hole as the original Blaster worm, according to advisories published by leading antivirus companies.

Antivirus companies disagree on whether the new worm is a version of the original Blaster or a new worm type. Some, like Trend Micro, consider it a Blaster variant. Trend Micro has named it Worm_MSBLAST.D. Others declare the worm a new type, named W32.Nachi-A.

One thing is certain: unlike the original Blaster worm, Blaster-D/Nachi is more concerned with fixing systems than exploiting their weaknesses.

Good Worm, Bad Worm

After infecting vulnerable Windows 2000 or Window XP machines, the new worm searches for and removes the Blaster worm file, Msblast.exe, and attempts to download and install a Windows software patch from Microsoft that closes the security hole used by the worm, according to antivirus companies.

The new worm hides behind a different file name from the Blaster worm, Dllhost.exe, which allows it to bypass antivirus software configured to detect and stop Blaster, according to Ian Hameroff, security strategist at Computer Associates International.

While they disagree about the new worm's name, antivirus companies speak as one in telling users to remove Blaster-D/Nachi.

"Anything that does something without the end user's approval or even knowledge is not good," Hameroff says. "It's like having a seasoned criminal break into your house and then, if he succeeds, install an alarm system."

Blaster-D/Nachi doesn't distinguish between infected and healthy systems, either. Instead, the worm spreads like Blaster by identifying unpatched Windows 2000 and XP systems, then infecting them, according to Hameroff.

Traffic from infected systems can also clog up computer networks and create denial-of-service problems if many infected computers attempt to download the Microsoft Windows patch at the same time, according to David Perry, global director of education at Trend Micro.

Not a Fix

For patched systems and machines that were not infected by Blaster, Blaster-D/Nachi is programmed to remove itself after a set amount of time passes, Hameroff says.

CA is still analyzing the new worm and cannot provide details or say how long Nachi will stay on systems before removing itself, he says.

There is no evidence that the worm installs Trojan horse programs or other kinds of snooping "spyware" on infected systems, Perry says.

Computer Associates rates Blaster-D/Nachi a "medium" threat, indicating only a few reports from CA's customers. However, Trend Micro says the new worm is a spreading rapidly in China and South Korea, prompting a "red alert" from that company to its customers in Asia.

While the worm may ultimately benefit the Internet community by patching some of the loosely managed computer systems that are breeding grounds for viruses, organizations and individuals should not rely on Blaster-D/Nachi to take care of their patching problem, security experts agree.

Do-gooder worms are no substitute for timely and responsible patching by system administrators, experts say.

"It's not the same as having the end user apply the appropriate patches as they're going along," Hameroff says. "This (worm) isn't the ointment you apply to rid yourself of your wounds."