The good worm. Or not.

It was crazy last week as the Blaster worm circulated around the Internet infecting computers that didn’t have firewalls and hadn’t been patched recently. Then came an outbreak of a new variant of SoBig, a virus that (supposedly) ran its course months ago. As one friend said, “There’s madness afoot this month.”

Perhaps nothing illustrates that more clearly than the emergence of what was apparently intended to be the first benevolent worm. Last week, the security alerts were all atwitter about something called Nachi (aka Welchia). This worm infiltrates your network, searches for an unpatched Windows computer, then invades it. But instead of doing harm to the computer (at least so far as anyone can tell), it searches for the Blaster worm and if found, removes it. Then it contacts the Microsoft update site and downloads the patches for the version of Windows you’re running. When it’s done that, it hangs out, waiting until your computer says it’s 2004, at which time it shuts down and removes itself.

At first, it sounds pretty cool: Somebody designed a worm to defeat another worm. And that’s nice, as far as it goes.

But it really goes beyond that. When Nachi has finished its work on one Windows machine, it starts looking for its next opportunity.

Apparently, Nachi uses randomly chosen TCP ports between 666 and 766 to send out feelers to other machines on the network or elsewhere across the Internet. When it finds an unpatched Windows machine, the process starts again. If only a couple of machines are sporting the Nachi worm, this is probably no big deal; you can remove the worm by setting the system date to 2004, at which point it will self-destruct.

But if all the hype about Blaster and all of the hype by organizations ranging from Microsoft to the U.S. Department of Homeland Security haven’t persuaded you to patch your Windows machines, what are the odds that any are patched? Right, probably none. So Nachi will start spreading on your network, and in the course of the day, will fill your network with probes looking for unpatched Windows machines. It will dramatically affect your network performance, your servers, and any workstations that pick up the worm. Your enterprise could draw to a halt.

Fortunately, there are a few easy things you can do. First, if you don’t have a firewall on your network, get one. After it’s installed and running, find out who was responsible for not having one in the first place, and have that person fired or promoted to senior restroom attendant. Second, if you still haven’t applied the Windows updates, do it immediately — there is simply no valid reason for dragging your feet. Then find the person responsible for delaying the updates, and have him or her report for duty as an assistant to the first person.

Finally, realize that there is an important reason for personal firewalls, even inside the enterprise. Your corporate firewall may keep out things from the world, but it does nothing about risks from within, and that’s what Nachi will become if it gets a foothold in your network. The personal firewall you want is something that will block outgoing traffic as well as incoming traffic, such as Zone Alarm.

When you’ve done all that, you should be able to keep worms of all sorts at bay, if not prevent them completely. But don’t sigh and open that beer just yet — you still need to make sure your anti-virus software is ready for SoBig.