On Thursday, Nachi.B aka Welchia.B hit.
Nachi.A was the worm that spread through the DCOM RPC, then tried to download and install the patch for it.

Now, the B-variant tries doing the same. Also, it tries to remove MyDoom.A and MyDoom.B, and even tries to redo some of the damage they do (it overwrites the hosts file with a blank one, for example). On top of that, it tries installing the MS03-043 patch.

Nice little virus, it seems. Untill it starts spreading and clogging up networks, of course (remember Nachi.A).

There's another catch to the nasty/friendly little virus, though.


http://www.eweek.com/article2/0,4149,1526328,00.asp

At the same time, Nachi.B is making a political and educational point. If the machine has a Microsoft IIS (Internet Information Services) Web server and is configured for the Japanese code page, Nachi.B overwrites certain files with an HTML page containing the following text:

LET HISTORY TELL FUTURE !

1931.9.18
1937.7.7
1937.12.13 300,000 !

1941.12.7
1945.8.6 Little boy
1945.8.9 Fatso

1945.8.15
Let history tell future !

So what's all this about? The numbers aren't URLs. Rather, they are dates that relate to World War II. Security vendor iDEFENSE Inc. deciphered the page.

Here's the key:

September 18, 1931. Japan invaded Manchuria, renames it Manchukuo.
July 7, 1937. The Japanese army attacked China in the "Marco Polo Bridge Incident."
December 13, 1937. The Battle of Nanjing ended as the Japanese took the city and commenced three months of atrocities.
December 7, 1941. The attack on Pearl Harbor.
August 6, 1945. The United States dropped the "Little boy" atomic bomb on Hiroshima.
August 9, 1945. The "Fat man" bomb struck Nagasaki.
August 15, 1945. Victory in Japan (VJ Day) riot in San Francisco while the city was celebrating.
August 15, 1945. South Korea liberated from Japanese rule.
Is this the new weapon of hacktivists? Spreading political messages through "friendly" virii?