So, our network at work was down/glitchy today, due to an infestation of the Welchia/Nachi worm. During a sporadic period of actual Net access, I found this page at Symantec, describing the steps the worm takes when it infects a computer:
A summary, hopefully not infringing on too many Symantec copyrights – [ul]
[li]· Copies itself to Dllhost.exe[/li][li]· Ends the process, Msblast, and deletes the msblast.exe file, which W32.Blaster.Worm drops.[/li][li]· Selects a new IP address, Sends a ping to find new valid addresses on the network.[/li][li]· Checks the computer’s operating system version, Service Pack number, and System Locale. Attempts to connect to Microsoft’s Windows Update and download the appropriate DCOM RPC vulnerability patch.[/li][li]· Checks the computer’s system date. If the year is 2004, the worm will disable and remove itself.[/li][/ul] Now, correct me if I’m wrong, but if this worm enters your system and completely delivers its payload, you are left with:
-A computer that is now protected from the Blaster worm, where it may not have been before.
-A computer CLEANED of the Blaster worm, if it was infected.
-A computer updated to protect against Windows’ DCOM RPC vulnerability (sealing the door it probably came in by to other viruses, or additional copies of itself!)
-If it’s 2004, a computer free of the Welchia/Nachi worm itself!
Now obviously, the “seek out other computers on the network and infect them” stage is an unwanted intrusion, and could cost companies valuable time and resources, and productivity loss. In fact it crippled email and Net access at my company for a large part of today. But how weird is it that all the intended effects of the worm seem to do is make vulnerable computers less vulnerable??? It’s like a big-hearted, yet radioactive 400-foot puppy, accidentally crushing downtown Tokyo while trying to protect its citizens.
Who would create and unleash a worm like this? A hacker with good intentions? A hacker feuding with the hacker who authored the Blaster worm? Someone at Microsoft, pushing their latest security updates out by force?