'Good' PC Worm Tries to Make Bad One Squirm

‘Good’ PC Worm Tries to Make Bad One Squirm

By Joseph Menn

Aug. 19, 2003 12 AM PT

Times Staff Writer

Call it the Battle of the Internet Worms.

As the Blaster worm on Monday began its second week infecting computers, a variant emerged that exploits the same software vulnerability to invade PCs running Microsoft Corp.’s Windows operating system.

But instead of causing mischief, the new worm tries to disinfect machines carrying Blaster and then plug the hole that let both worms through.

In a final act of selflessness, the worm is programmed to delete itself Jan. 1.

The author of the vigilante worm -- known by various names, including Nachi -- is anonymous.

“There’s a little bit of good Samaritan in them,” said virus researcher Craig Schmugar of Network Associates Inc., one of several virus-fighting companies that warned of the noble worm after its discovery early Monday.

Those warnings were issued because any worm, no matter how well intentioned, spreads without authorization into private networks. And Nachi can harm some machines.

A company in Japan, where Nachi was spreading quickly, reported that its network crashed when many of its personal computers got the fix-it worm and tried to download Microsoft’s Blaster patch simultaneously.

Nachi works only on machines running English, Chinese and Korean versions of Windows. And it tries to download patches only for Windows 2000 and Windows XP, said Joe Hartmann, director of North American anti-virus research at Trend Micro Inc.

Finally, Windows 2000 computers can utilize the patch only if an earlier update has been installed. The worm doesn’t seem to know that, Hartmann said.

“It wanted to be a good worm” but fell short, he said.

Although Blaster’s spread is slowing, it still is moving faster than Nachi and less good-natured variants, including one that installs a “back door” for future access by hackers.

All take advantage of a security hole discovered a month ago and publicized by Microsoft.

The malicious worms, designed to spread automatically, can trigger constant rebooting, giving users little time to fix infected machines. Blaster was designed to launch a coordinated attack on a Microsoft Web site, but it failed to disrupt much of the Internet because Microsoft disabled the target page.

As with earlier “good” worms that sought to stop Code Red and other Internet infections, Nachi may spur debate about whether an automatic inoculation is the best answer for the failure of many computer users to install fixes when new problems are discovered.

But security experts said the risks of such efforts were still too great. “There could be unwanted side effects,” Schmugar said.

Microsoft has been under fire for security lapses, but spokesman Sean Sundwall said it had nothing to do with Nachi.