Robin Hood virus on the loose

A new variant of the Nachi worm is patching PCs that are vulnerable to MyDoom.A.

A new variant of the Nachi worm is patching PCs that are vulnerable to MyDoom.A. Nachi B, also known as Welchi, copies itself onto systems using the same flaw as MyDoom.A, as a file named ‘Svchost.exe’.

It then attempts to delete MyDoom and downloads patches to fix the security hole.
Carole Theriault, security consultant at Sophos, said: “It’s an interesting case – some kind of Robin Hood virus. Read more at VNUnet.