I'm not sure there's much social engineering involved.. I'm pretty certain this is somebody trying to be a "white hat" but there's a couple of major flaws in this anti-worm..


Firstly, 1st January 2004 is waaaay too long. It would pick up most of the infected PCs if allowed to run for a couple of days. This appears to be a much more effective infector than MSBlast.

Secondly, the rate of infection is very high, and the scanning rate is very hight too. Because of the high level of effectiveness, this is causing a large number of infected hosts scanning very quickly. Indeed, on the first day, I'm getting twice as much firewall activity from Nachi as I am from MSBlast.

Those of you with long memories will remember the first Internet Worm back in 1988. Because you can never test something like this in the wild, it's difficult to know how to "throttle" the spread of the worm. Back in '88, the worm spread much more quickly and agressively than anticipates, and I'm afraid that with the infection rate of *this* worm, we may end up with something out of control. If it was just for a couple of days it wouldn't be so bad, but we're looking at a time period of four-and-a-half months of endless repetitive pinging.

In other words.. I think the anti-worm is a little buggy. A slower spread rate and shorter infection period would be nice. As to whether this is a *good* thing or not is hard to say. It'll clean up MSBlast pretty quickly. The damage it will do on the way is something I guess we'll find out.