February 12, 2004 2:15 PM PST
Nachi variant sends a political message
Nachi.B, discovered Wednesday, has attacked only a small number of computers so far and is less troublesome than its predecessor. But unlike the earlier Nachi worm, which took down computer networks, this version seems politically motivated, security experts said Thursday.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
"The dates appear to coincide with when Japan engaged in some kind of aggression against China," said Joe Telafici, a director of operations at Network Associates. "The first Nachi was a misguided attempt to identify the MSBlast Worm and clean it up. This one seems to be an attempt to get revenge in some way on Japan. We suspect it was written by someone in China or a Chinese national."
Although the virus will uninstall itself June 1, it will remain on computers that run Japanese versions of Windows.
The worm, which seeks an Internet connection via the Google, Intel and Microsoft sites, is expected to try to exploit four Microsoft vulnerabilities, two of which attack Microsoft's WebDav and Workstation service.
Nachi.B also tries to remove the MyDoom A and B variants from computers. The previous version of Nachi attempted to find and patch the MSBlast worm, but its aggressive scanning for systems disrupted corporate networks.
Because a number of companies installed patches for the original Nachi, the damage from this latest worm is less widespread, said Dee Liebenstein, a group product manager for Symantec Security Response. She said Symantec has received 20 cases involving the worm.
Network Associates has encountered fewer than 100 cases, Telafici said.