 |
Welchia worm tries to patch a hole used by Blaster worm
August 19, 2003
A new computer worm is spreading worldwide through a security hole in Windows -- also used by infamous Blaster worm -- but then trying to block the vulnerability instead of crashing the system like Blaster does.
The new worm, dubbed "Welchia" or "Nachi," is similar to Blaster (also known as Lovesan), but it purports to patch the hole Blaster exploited to enter into computers in the first place and tries to clean up after Blaster if the computer is infected with it.
The "good" worm also exploits a vulnerability in a core component of Windows which enables authorized users to remotely add and manage content on a web server.
If "Welchia" infects a system which has already been compromised by Blaster, it terminates and deletes the worm and then applies the Microsoft patch to prevent other threats from infecting the system through the same hole.
Blaster has infected more than 600,000 Windows XP and Windows 2000 machines since it unleashed last week.
The Windows vulnerability it exploits affects computers running Windows XP, 2000, NT and Server 2003.
Welchia, which is programmed to terminate itself in 2004, is spreading widely in Asia, particularly in Japan.
The worm is creating more network traffic, and thus a slowdown, for many corporate networks as it scans for other vulnerable machines to spread to and because it instructs numerous computers in a network to try to download the patch simultaneously.
In the meantime, experts warned about an e-mail hoax that was rapidly spreading, claiming to be a patch from Microsoft for the security hole Blaster exploits.
But actually, the e-mail includes a Trojan horse that installs itself on the computer as a back door enabling a hacker remote access to the system. Microsoft confirms it never distributes patches via e-mail.
|
 |