First published: 19th August 2003
Every so often, someone suggests using a virus for a good purpose: killing other viruses or fixing security holes, but the anti-virus developers do not use this "brilliant" idea. W32/Welchia, which started spreading yesterday, demonstrates why not.
W32/Welchia, also known as W32/Nachi-A, is apparently designed to clean up the W32/Blaster worm that started spreading last week, and install the fix to the vulnerability Blaster used to infect computers. Welchia searches for computers by sending ping packets and then uses the same vulnerability as Blaster to try to infect the target. Once installed, it checks the version of the operating system and downloads and installs an appropriate patch from Microsoft. It even cleans itself up - if the date is 1 January 2004 or later, it deletes itself.
This all sounds harmless enough, but Welchia is currently causing more disruption at many sites than Blaster did. Allan Dyer, Chief Consultant for Yui Kee Computing Ltd. commented, "The 'cure' is worse than the disease. We do not need mysterious, unknown, unqualified people attempting to usurp legitimate systems administrators." The problems are:
- Thousands of infected machines are all searching for more victims using ping packets, causing network congestion and even Denial of Service conditions at some sites.
- To complete the installation of the patch, the worm reboots the machine, causing an unexpected service interruption.
- Although the worm appears benign, it has come from an untrusted source and may contain a hidden backdoor.
Dyer said, "There have been several previous viruses that attempted something similar, but I think this has spread the most and caused more disruption."
Anti-virus and information security professionals have known about the dangers of using a virus to install patches for a long time, in August 2000 the well-known cryptographer, Bruce Schneier, said, "Viruses, by their very nature, spread in a chaotic and unchecked manner; good system administration is anything but."
Dyer gave his opinion, "The owner of a computer system should be responsible for making sure it runs properly and, if that computer is connected to the Internet, they should make sure it does not cause disruption for other users. Companies will probably delegate that responsibility to their Systems Administrators, home users might get assistance from their software vendor but we do not need vigilante viruses usurping that responsibility."
For further information, please contact
Yui Kee Co. Ltd.
Mr. Allan Dyer, Technical Director
Tel: +852 28708555
Fax: +852 28736164
or visit the Yui Kee web site at http://www.yuikee.com.hk/