SAN FRANCISCO (Reuters) – A new computer worm is spreading worldwide through a security hole in Windows – also used by last week’s Blaster worm — but then patching the hole instead of crashing the system like Blaster does, security experts said on Monday.
The new so-called good worm, dubbed “Welchia” or “Nachi,” is similar to Blaster, but it purports to patch the hole Blaster exploited to enter into computers in the first place and tries to clean up after Blaster if the computer is infected with it.
Despite the apparently good intentions of the new worm, spreading “good” worms is a very bad idea, said Jimmy Kuo, research fellow at anti-virus vendor Network Associates Inc. (NET: Research, Estimates)
“You would rather not have somebody rebooting your machine in the middle of what you are doing, regardless of their intentions,” he said.
Blaster, also dubbed MSBlaster LoveSan, has infected more than 570,000 Windows XP and Windows 2000 computers since it surfaced last week, according to an estimate from anti-virus vendor Symantec Corp. (SYMC: Research, Estimates)
The Windows vulnerability it exploits, which experts have known about since at least mid-July, affects computers running Microsoft Corp.’s (MSFT: Research, Estimates) Windows XP, 2000, NT and Server 2003.
On English, Korean and Chinese versions of the Windows operating systems, Welchia downloads the patch to fix the computer. Welchia apparently does not do that on other versions of Windows, said Joe Hartmann, director of North American anti-virus research at Tokyo-based Trend Micro (TMIC: Research, Estimates).
In some instances, Welchia tries to clean up after Blaster if the computer has been infected with that worm. Then Welchia spreads to other systems that have the vulnerability, said Kuo.
Welchia, which is programmed to delete itself in 2004, is spreading widely in Asia, particularly in Japan, according to Hartmann.
The worm is creating more network traffic, and thus a slowdown, for many corporations as it checks for other vulnerable computers to spread to and because it instructs numerous computers in a network to try to download the patch simultaneously, they said.
Network Associates rated the threat level of the new worm as “medium.”
There are also unconfirmed reports that it may try to attack computers through a different Windows vulnerability, the experts said.
Meanwhile, experts warned about an e-mail hoax that was circulating, purporting to be a patch from Microsoft for the security hole Blaster exploits.
Instead, the e-mail contains a Trojan application that installs itself on the computer as a back door enabling an attacker remote access to the system. Microsoft says it never distributes patches via e-mail.
The Blaster worm crashed computers, spread to others and instructed them to launch an attack on one of Microsoft’s patch download Web sites on Saturday. However, Microsoft was able to thwart the attack by eliminating the targeted Web page.
A survey of more than 1,000 organizations released by computer security provider TruSecure Corp. estimates that more than 20 percent of corporations worldwide were infected by Blaster, with laptops being the number one infection source.
The median cost for clean up was $6,500 for infections of moderate impact to $55,000 for major impact infections, the survey found.