 |
 |
 |
|
Question: So when is a computer Worm a friendly Worm?
Answer: When it is called the Nachi worm... Well that is what the author of this latest virus would have you believe!
So why is this worm different?
Well it is actually written to try and remove the very recent msblast.exe worm from infected computers.
THEN it downloads and installs the official Microsoft Security Patch that fixes a known security hole in some computers....
Some virus experts are calling this Nachi worm the "Dirty Harry" worm, in a reference to the tough 1970's police officer played by Clint Eastwood!
However, ALL the leading Antivirus companies are agreed that this new worm is still an invasion of your privacy and is not to be considered a good thing...
So What is The Nachi worm (W32/Nachi-A) ?
Well, It is an Internet worm spread via, well the Internet! (It is NOT caught by email).
SIMPLY having your Windows XP computer connected to the Internet, one that has not been updated with the Microsoft Security Patch 823980, means you could be infected!
It also has the following aliases:
W32/Nachi.worm,
WORM_MSBLAST.D,
Lovsan.D,
W32.Welchia.Worm,
Welchi
How Does The Nachi worm (W32/Nachi-A) Work?
The worm scans the Internet, via currently infected computers, for vulnerable PC's... (It does this using the Remote Procedure Call (RPC) DCOM vulnerability in the similar fashion to the Blaster worm.)
The Nachi worm ALSO attempts to spread using a "buffer overflow" exploit for the ntdll.dll library file. The exploit is attempted through a Search request of the WebDAV protocol.
(Microsoft issued a patch for this vulnerability on March 17, 2003. The patch is number 815021)
W32/Nachi-A uses runs two files on your computer:
dllhost.exe
svchost.exe
Dllhost.exe is the main worm component and svchost.exe is a standard TFTP (Trivial File Transfer Protocol) server that is ONLY used by the worm to TRANSFER itself from an infected PC to a target PC.
When the worm is run, it copies itself into the Windows System folder as dllhost.exe and uses the Windows Service Control Manager to create new Windows Services.
These are the new services created:
RpcPatch
RpcTftpd
RpcPatch, with the description "Network Connections Sharing", runs the copy of the worm and RpcTftpd, with the description "WINS Client", runs the accompanying TFTP server.
The Nachi worm then scans the Internet for computers on which to infect itself.
An ICMP Ping packet is sent first to check if a host is online. The Ping packet is followed by a WebDAV search request or an RPC DCOM exploit (see above).
If the exploit is successful Nachi worm (W32/Nachi-A) uses tftp.exe (TFTP - Trivial File Transfer Protocol) to copy the worm files from the infected PC.
Once a PC is infected, Nachi worm (W32/Nachi-A) attempts to download and run security patch 823980 from the Microsoft's update websites...!
The worm also contains the following text which does
not get displayed:
I love my wife & baby :)
This Nachi worm will also remove itself from the PC, if the PC date is 1 January 2004 or later.
Does This Nachi worm (W32/Nachi-A) Do Anything Nasty?
Other than invade YOUR privacy and cause some inconvenience... NO
Basically the worm has been designed so that it can download files to the infected computer and execute them! This is a deliberate attempt by the creator of the worm to try and stop PC's being hit by the Blaster worm.
Viruses tend to mutate rapidly, and therefore future variants of this virus are possible!
What Do I Do Now?
1) Use this Nachi Worm removal tool here
2) If not already on your PC' after the worms efforts to put it there -Install Security patch 823980 (If this patch fails to install read this cryptographic service article.)
3) Install Security patch 815021
Now:
Get a Firewall...
Update your Antivirus software!
If you DO NOT have any Antivirus software running on your PC the get one now!
Even the FREE Antivirus software from www.grisoft.com is good enough for Windows XP users..
I hope this article helps YOU!
Kind Regards
Marc Liron
marc@updatexp.com
Hit By The recent Sobig f worm?
---
Need MORE info on Windows XP?
Then YOU need this Newsletter...
- Windows XP News
- Windows XP Tips & Scams
- Patch Update News
- Info on Internet Explorer and Outlook Express
- Windows Media Player Plugin Reviews...!
- And so much
more......
Get regular Windows XP news and tips -
make XP work the way YOU want it to work!
Windows XP Articles
- SPAM
- Messenger Service Spam - FIX
FREE Windows XP Tip for getting rid of this annoying Spam! Print it or Download the media file which talks you through it!
-
Problem
Installing Patches? "Cryptographic Service Error"
A Great article explaining the Cryptographic Service Error message in Windows XP!
-
Windows Media Player 9 - Review Article
Windows Media Player 9 has some GREAT improvements over previous versions - Find Out More...
The views on this website are my
own and not that of Microsoft.
I am not responsible for the content of any sites linked to.
ALL information is provided "As Is"
This page was last updated 19th August 2003
Home Page | Privacy Policy | Windows XP Tips | About Me
This article is on the Nachi worm (W32/Nachi-A)...
|
www.updatexp.com - Marc Liron - 2003 |