Indian college spreads worm to kill worm

We’ve said it before and we’ll say it again – there’s no such thing as a “good worm”.

Today we saw a Visual Basic Script popping up repeatedly on a customer’s network. On investigation, we found that it deleted malicious files called autorun.* on network and removable drives. And how did it know what files were malicious? Simple; if they weren’t copies of itself, they were obviously malicious.

The author obviously thought this was such a good idea that it would be a waste to keep it for himself. So he made the script copy itself to the network and removable drives after it scanned them, along with a bunch of autorun.* files. When you plug your drive in elsewhere, this script will leap on to that system too and try to delete more files, and from there to more drives, etc. Spread the love, and all.

Personally, I’d rather he kept the love to himself.

If this script finds a malicious (remember, by that I mean “not written by this guy”) file on your drive, it displays the following message:

Nirmal's Antivirus System

I’ve blanked out the name of the college in India, as well as the IT MSc course number that the author seems to have attended. Such audacity never ceases to surprise me.

We’ve seen talk of “good worms” and “good viruses” before (1, 2, 3), and our opinion remains unchanged: whatever the intention, this is malware pure and simple. We detect it as VBS/Malnir-A.