February 12, 2004 2:15 PM PST

Nachi variant sends a political message

Related Stories

Feds nab second suspect in worm attacks

September 26, 2003

'Good' worm, new bug mean double trouble

August 19, 2003
A new variant of the Nachi worm has emerged that is apparently sending a political message to computers running Japanese versions of Windows.

Nachi.B, discovered Wednesday, has attacked only a small number of computers so far and is less troublesome than its predecessor. But unlike the earlier Nachi worm, which took down computer networks, this version seems politically motivated, security experts said Thursday.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


The worm places an HTML document titled, "Let History Tell Future," on computers' Windows System Directory. The document contains various key dates from World War II involving Japan and China, for instance, when Japan invaded Manchuria.

"The dates appear to coincide with when Japan engaged in some kind of aggression against China," said Joe Telafici, a director of operations at Network Associates. "The first Nachi was a misguided attempt to identify the MSBlast Worm and clean it up. This one seems to be an attempt to get revenge in some way on Japan. We suspect it was written by someone in China or a Chinese national."

Although the virus will uninstall itself June 1, it will remain on computers that run Japanese versions of Windows.

The worm, which seeks an Internet connection via the Google, Intel and Microsoft sites, is expected to try to exploit four Microsoft vulnerabilities, two of which attack Microsoft's WebDav and Workstation service.

Nachi.B also tries to remove the MyDoom A and B variants from computers. The previous version of Nachi attempted to find and patch the MSBlast worm, but its aggressive scanning for systems disrupted corporate networks.

Because a number of companies installed patches for the original Nachi, the damage from this latest worm is less widespread, said Dee Liebenstein, a group product manager for Symantec Security Response. She said Symantec has received 20 cases involving the worm.

Network Associates has encountered fewer than 100 cases, Telafici said.

 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.