Worm claims Sussex Police computers

The Sussex Police force's IT system has been brought to its knees by W32/Nachi - the 'good' worm that was supposed to eradicate MSBlast

The Sussex Police force has been hit by a worm that has knocked out their office computers and forced workers to switch to back-up systems. Emergency calls are not being affected.

The organisation confirmed to ZDNet UK that it has been hit by the W32/Nachi worm, which is a variant of the MSBlast worm that started spreading around the globe early last week.

Nachi was dubbed the 'good' worm because it seeks out PCs that are vulnerable to the MSBlast worm and then downloads the appropriate patch from Microsoft's Web site to fix them. Additionally, it will delete itself from an infected machine the first time it is booted up in 2004.

However, the worm is not a good idea, said Joe Hartmann, North American director for antivirus research at security software firm Trend Micro. "This is just a regular worm like anything else," he said. "In the end, it is going to do more trouble than good." The problem is that although Nachi has good intentions, it sends a great deal of unwanted traffic over a network as it tries to spread to other computers. In addition, if several computers download the patch from Microsoft at the same time, it could slow network performance, Hartmann said.

A spokeswoman for Sussex Police told ZDNet UK that computers used for administrative and general office work have been worst hit. "Our control rooms are running either using normal or established back-up methods, which they switch to during maintenance work. Our engineers are working to eliminate it," she said.

Computer administrators have had a tough fortnight because the Nachi worm was released a few days after the MSBlast worm and around the same time as the latest variant of the Sobig email virus.

Although occurrences of Nachi and MSBlast have started dying down, Sobig.f is still causing problems. Email security firm MessageLabs last week found that one in every 17 email going through its systems contained Sobif.f -- a 'regular' virus manages to infect one in 275 emails and a relatively prevalent virus, such as Kletz H, managed to infect one in 138 emails.

The Sobig.f virus is activated when a user clicks on an infected email attachment. Once released, Sobig.f grabs email addresses from different locations on a computer and sends them infected emails. The virus also forges the source of the message using a randomly selected email address, so that the infected message appears to come from someone else.