Nachi raises from dead to undo damages caused by MyDoom

February 14, 2004

A new variant of the Nachi worm is spreading across Internet with the aim to patch PCs that are vulnerable to MyDoom. Nachi B, also known as Welchi, copies itself onto systems using the same flaw as MyDoom, as a file named 'Svchost.exe' and then attempts to remove MyDoom from the system and download patches to fix the security hole.

MyDoom A has recently launched a successful denial-of-service attack against the Web site of SCO Group Inc. of Lindon, Utah, beginning February 1. MyDoom B continued the assault against SCO and also launched an attack against the Microsoft Web site. The second variant has not gained much traction, however, and has had little effect so far on both sites. Both apparently are programmed to cease attacks on February 12.

Viruses that deal with viruses are nothing new. In the mid 1990s a boot sector virus called Chinese Fish attempted something similar by removing a virus called Stoned.

"This worm's author may think he is a modern-day Robin Hood, but there is no such thing as a good virus," said Graham Cluley, senior technology consultant at Sophos. "Nachi-B infects innocent computers without their owner's permission, steals network bandwidth, CPU time and hard disk space, and makes changes to the computer's setup and data. A worm can easily get out of control and cause unexpected conflicts. It is vital that computer users patch the holes in Microsoft software and ensure their anti-virus is fully updated."

Nachi itself is not so harmless, however. It opens TCP port 707, leaving machines vulnerable to further exploits and, curiously, attempts to overwrite some files on the infected machines with an HTML file containing references to the dropping of atomic bombs on Japan in World War II:

LET HISTORY TELL FUTURE ! 
1931.9.18
1937.7.7
1937.12.13 300,000 ! 

1941.12.7
1945.8.6 Little boy
1945.8.9 Fatso 

1945.8.15 

Let history tell future !

Discuss this article on the Forum