iiNet users will be interested to hear that recent slowdowns and site access problems were likely caused by a new virus called the Nachi Worm, aka the “W32.Welchia” virus.
W32.Welchia is a troublesome self-replicating worm which infiltrates customers’ computers and then tries to find other vulnerable computers from there.
“The infected client's machine sends out hundreds of thousands of probes as it tries to find other computers to infect. When multiplied by a large number of infected machines, the amount of excess data can cripple a network,” said Greg Bader, iiNet’s CTO.
Although the fault page for the problem has been open for a month, the negative effects of the virus were quickly stopped by iiNet technicians, according to Bader. The day after the problem was discovered on 5 October, iiNet blocked all ICMP traffic, the “channel” in which the virus broadcasts.
“Since then, the original fault – network congestion, drop outs, etc. – haven't reoccurred,” Bader said.
However, iiNet is now deploying a new feature which will home in on and block users infected with the Nachi Worm.
“Rather than blocking all ICMP traffic, we detect those users who are infected and apply an ICMP block to their connection only. This prevents them infecting other users, and prevents their traffic from congesting the network. It also lets us contact them to guide them through cleaning their systems from the virus,” said Bader.
People can avoid the worm by staying up-to-date with security patches and anti-virus software.