Infect me, please!

In the real world, there are some viruses that kill you but there are a lot more that don’t. In fact most viruses don’t bother you at all, which is good since there are so many of them. In the digital world we are told that all viruses are deadly and will kill your computer. But this might no longer be true.

Sophos virus experts have warned computer users of a new variant of the Nachi worm (W32/Nachi-B) that attempts to remove infections of W32/MyDoom-A and W32/MyDoom-B, and download Microsoft security patches to unprotected computers. Symantec calls this worm W32.Welchia.B instead. Each antivirus company always names viruses independently of the others; it’s just that when the media picks up on it, the sexiest name will be chosen. Well, the media should have picked up on this one, despite neither name being sexy.

According to Sophos, the Nachi worm takes advantage of the same critical security hole in Microsoft Windows, which was exploited by the Blaster worm, then searches for unpatched computers. Once located, it infects the computer without asking the user's permission and hunts for traces of the MyDoom worms. If a MyDoom infection is found, the Nachi-B worm attempts to remove it and download patches to fix the Microsoft vulnerability.

Excuse me? This virus tries to protect my computer from other known-to-be-nasty viruses? Bring it on! How do I get infected? Is this something like catching cowpox so you can’t get smallpox? Why isn’t the author of this virus being paraded through the streets and showered with ticker tape and confetti? Well, you see it is a virus, and we can’t have good viruses going around putting antivirus companies out of business.

"This worm's author may think he is a modern-day Robin Hood, but there is no such thing as a good virus," said Graham Cluley, senior technology consultant at Sophos. "Nachi-B infects innocent computers without permission, steals network bandwidth, CPU time and hard disk space, and makes changes to the computer's setup and data. A worm can easily get out of control and cause unexpected conflicts. It is vital that computer users patch the holes in Microsoft software and ensure their antivirus is fully updated."

Yeah, OK, and don’t stand around in those wet clothes or you’ll catch your death of cold. Does anyone know someone who actually died by ignoring that advice? What is the worst downside to this Nachi (or Welchia) worm? Your computer will no longer be vulnerable to MyDoom and Blaster infections. This seemingly benign worm also deletes itself from your system after June 2004. The only possible reason to get paranoid about this little germ is that the unknown author might not be the world’s best programmer and perhaps there could be side effects.

But then, cowpox gives you side effects too, but they are less final than the side effects of smallpox. Whoever this dude is, we should be trying to locate him and offer him some gainful employment. Or her. The only clues to the identity of the author come from the text of a file that is left behind by the worm. According to Sophos, “the Nachi-B worm attempts to overwrite some files with an HTML file containing references to the dropping of atomic bombs on Japan in World War II.”

However, that misrepresents things quite a bit, and implies that the author is some sort of anti-nuke campaigner. In fact, the text file contains a string of dates, which relate to milestones in Japanese militarism from 1931 until the end of WW2 in 1945. The first date is that of the infamous Manchurian incident which saw a Japanese railway bombed, allegedly by Chinese terrorists, which was used as a pretext for Japan to annex Manchuria. The next date marks the invasion of China by Japan in 1937, pre-dating Germany’s occupation of Poland by two years.

Following on with this theme, the third date marks a particularly gruesome battle in the Sino-Japanese war in which it is claimed that the Japanese massacred some 300,000 Chinese prisoners. Only after this event do the dates refer to WW2, with one marking Pearl Harbour, another two dates marking the A-bombs dropped on Japan and the final date being the Japanese surrender in 1945. The dates are preceded by the less-than-grammatical statement “let history tell future”.

Now I’m no psychoanalyst so I can’t begin to offer an explanation, but I am sure there are many learned professors who could figure out this simple message in an instant. So why isn’t anybody making the effort? Here we have a virus writer with some sort of social conscience, although we don’t’ know in which direction they are leaning, setting loose this worm to protect those who aren’t smart enough to download their own patches. Is this guy finished with worm-writing or will there be more viruses unleashed to inoculate us against the deadly ones? Does anyone except the antivirus vendors need to be afraid?

Join the newsletter!

Error: Please check your email address.

More about MicrosoftSophosSymantec

Show Comments