MSBlaster worked only against unpatched Windows computers. Microsoft and several
other Internet security agencies broadcast several alerts warning Windows users
to patch their machines. Unfortunately, the masses either didn't get the warnings
or ignored them. When the MSBlaster worm was released, it successfully infected
hundreds of thousands of machines. Even if your network was fully patched, MSBlaster
could cause slowdown problems because of the many exploited computers.
Some honeypot administrators wrote a service script (which Listing A shows)
that when connected to, connected back to the originating host, killed the MSBlaster
worm process, cleaned a malicious registry entry (by using a created-on-the-fly
registry edit file), and rebooted the machine. Offensive scripts can have mixed
results when run against unauthorized computers and networks. You'd think that
removing a worm would always be a good thing, but worm cleaners have a way of
causing as many problems as or more problems than the disease.
For example, a kind-hearted soul created a worm called Welchia that did nearly
the same thing as the script in Listing A. Welchia connected to vulnerable hosts,
removed the MSBlaster worm, and downloaded the Microsoft patch needed to close
the vulnerability. Although the MSBlaster worm was only a problem for a few
days, the Welchia worm inadvertently brought down networks for weeks because
its scanning mechanism was even more aggressive than the original worm. Welchia
proved to be much worse than the worm it was designed to cure.