Two more worms in two days following Blaster.
Welchia
Welchia — also called Nachi — appeared on August 18. It exploits the same RPC DCOM vulnerability as Blaster but with a different payload: it removes Blaster from infected hosts and applies the patch.
The author appears to have intended this as benevolent. It is not. The worm consumes substantial bandwidth and produces collateral disruption; in many ways its impact is worse than Blaster's.
Lesson: "good worms" are still worms. The unintended consequences of automated mass intervention are real.
Sobig.F
Sobig.F appeared on August 19 and reached unprecedented mass-mail volume. By peak, it was generating an estimated one in seventeen email messages globally.
The technique is mass-mailing with email-address harvesting. The volume is the new feature — substantially higher than Klez or any predecessor.
What operators should do
For Blaster/Welchia: apply MS03-026; monitor for both worms; segment networks to limit lateral spread.
For Sobig.F: aggressive mail filtering; antivirus signature updates; user education.
More as the situation develops.