Anti-Blaster worm spreads - and patches

A new worm is spreading across the world and trying to patch the vulnerability that allowed the Blaster worm to spread last week.

The worm, known as Nachi or Welchi, spreads using the same vulnerability in Microsoft operating systems that Blaster exploited.

It also seeks to infect Microsoft Internet Information Server 5.0 using a WebDAV vulnerability found in March 2003.

After infecting a machine the worm seeks out and destroys any copies of the Blaster worm.

It then downloads and installs the Microsoft patch for the vulnerability, and automatically deletes itself on 1 January 2004.

But antivirus companies have warned that the code is not perfect and may cause problems of its own.

"We seem to have an antivirus-virus here", said Mikko Hypponen, director of antivirus research at F-Secure.

"We've seen similar things before, but not to the extent of actually applying Microsoft's own patches to the system."

The virus is thought to have originated in the Far East and was first detected last night. It seems to be spreading slowly due to the amount of patching that has gone on in the last few weeks.

"[Nachi] infections are there but nothing like last Monday," said Jack Clark, product-marketing manager for McAfee.

"I'd still be very concerned if I got it; I wouldn't trust a virus author to fix my PC.

"There may be compatibility problems that crash your system. These virus writers aren't known for their altruism or technical skill."

Users can get rid of the worm by resetting their clock to 2004 and rebooting, which will cause the virus to self-destruct.