Sorry if that's old news for you : I read that in the paper today and was amazed at the initiative. http://www.idg.com.hk/cw/readstory.asp?aid=20030820002 (And they don't mention, but the worm is programmed to eliminate itself in 2004.) Blaster variant may cause DOS attacks By Jaikumar Vijayan Computerworld Online The U.S. Department of Homeland Security (DHS) Monday released an advisory warning users that a variant of last week's Blaster worm, dubbed "nachi," "welchia" or "msblast.D," could cause denial-of-service (DOS) conditions within organizations. The variant takes advantage of the same security weakness as the Blaster worm and only infects systems that haven't been properly patched. After infecting vulnerable Windows 2000 or Window XP machines, the new worm then searches for and removes the Blaster worm file and attempts to download and install a patch from the Windowsupdate.com Web site to close the hole. If the patch installation is successful, the worm then automatically reboots the systems and promptly begins looking for other machines on the network on which to copy itself. The scanning process can flood networks with high volumes of Internet Control Message Protocol (ICMP) traffic causing "network congestion which can result in denial of service conditions," according to the DHS advisory. "This may be a symptom of the worm's propagation and not designed intentionally as a denial of service attack," the DHS note added. But Russ Cooper, editor of NTBugTraq and an analyst at Herndon, Va.-based TruSecure Corp. said the denial-of-service conditions created by the so-called "do-gooder worm" could be deliberate. "I'm surprised that the DHS would say this may be a symptom of the worm's propagation and not designed as a DDOS (distributed denial-of-service attack)," he said. "Whether it was intentional or otherwise, this is malware, which is having very harmful affects." Because the worm is programmed to scan internal (Class B) networks, it could seriously degrade performance on enterprise networks, Cooper added. The automatic patching of vulnerable systems that the worm is programmed to do can also cause systems to crash in many cases, he said. "There is no such thing as a good worm," Cooper said. "It is impossible to control the effects of something which arbitrarily attacks other systems via a security vulnerability." According to the DHS advisory, it's still unclear what other actions the variant is programmed to take on infected machines. "There may be other malicious aspects of this worm such as the installation of back doors that allow intruders to access or control infected machines," which are still unknown, the note said. Organizations need to ensure that all systems are properly patched against the Windows remote procedure call (RPC) vulnerability that Blaster took advantage of, the DHS said. It's also important to block MS-RPC ports where possible and monitor networks for unusual levels of ICMP traffic and traffic for Port 707, which the worm reportedly uses, the note added.