It had to happen. W32/Nachi.worm is the clever people finally telling the twits to wise up or find a more secure OS. Perhaps it’s the evil people highlighting how stoopid the DSL/Windows users are.
Either way, this is a bit of an odd tale!
At first examination, Nachi.worm has all the classic hallmarks of a windoze worm: it modifies registry keys. It copies itself somewhere into the Windows directory tree (C:WINNTSYSTEM32WINSDLLHOST.EXE). It runs at boot time and terminates certain programs with extreme prejudice. Generally a nasty piece of work, no?
Well, actually, possibly not. When it runs Nachi looks for and blows away the lovesan worm (MSBLAST problem). It then proceeds to try and download then install the relevant patches from Microsoft direct. The worm self removes on Jan 1 2004.
TurboTas can only assume that the forces of good have decided that if you can’t beat it into the thick skulls of all the windoze broadband users that can’t update their machines, then best do the flipping job for them.
Perversely, but quite properly, the AV vendors have released sigs for Nachi, so it really will only affect the plebs who have no security at all.
TurboTas can’t help thinking that fixing it for them is awful: A option would be to hardwire all browsers to the microsoft update site or perhaps to just change the background bitmap to a bomb. Lock the machine until a paypal payment is made? The list goes on. The bugs go on.
source: Network Associates