Worm turns on Japanese Windows

A new variant of the Nachi worm has emerged that is apparently sending a political message to computers running Japanese versions of Windows.

Nachi.B, discovered on Wednesday, has attacked only a small number of computers so far and is less troublesome than its predecessor. But unlike the earlier Nachi worm, which took down computer networks, this version seems politically motivated, security experts said on Thursday.

The worm places an HTML document titled, Let History Tell Future, on computers' Windows System Directory. The document contains various key dates from World War II involving Japan and China, for instance, when Japan invaded Manchuria.

"The dates appear to coincide with when Japan engaged in some kind of aggression against China," said Joe Telafici, a director of operations at Network Associates. "The first Nachi was a misguided attempt to identify the MSBlast Worm and clean it up. This one seems to be an attempt to get revenge in some way on Japan. We suspect it was written by someone in China or a Chinese national."

Although the virus will uninstall itself on 1 June, it will remain on computers that run Japanese versions of Windows.

The worm, which seeks an Internet connection via the Google, Intel and Microsoft sites, is expected to try to exploit four Microsoft vulnerabilities, two of which attack Microsoft's WebDav and Workstation service.

Nachi.B also tries to remove the MyDoom A and B variants from computers. The previous version of Nachi attempted to find and patch the MSBlast worm, but its aggressive scanning for systems disrupted corporate networks.

Because a number of companies installed patches for the original Nachi, the damage from this latest worm is less widespread, said Dee Liebenstein, a group product manager for Symantec Security Response. She said Symantec has received 20 cases involving the worm.

Network Associates has encountered fewer than 100 cases, Telafici said.