Nachi Worm

There's a new worm using the RPC DCOM exploit - see http://vil.nai.com/vil/content/v_100559.htm

This one has a twist though.. it patches the infected PC with the MS patch 823980 and then deletes the MSBlast worm from the PC.

Odd, huh?

That's kind of interesting. Hmm.. Why would someone create a worm to get rid of another? That's strange. Someone actually created a worm to do some good. That's really a weird twist.

There is some good in the world...:)

Guidance...

Makes sense to me.

I've considered that this to be a good solution to the problem...

It wasn't Mark's that got into the wild was it?

The initial analysis also says that it appears to be self removing after 1st Jan.

However, we've now replaced probes to port 135 on my firewall with ping requests! It's gonna be a very noisy few months at this rate :)

I was just wondering if there are more instances of this, I always wondered why I never heard of reformed virus/worm writers writing "retroviruses" sortof, virus-like programs that, like a virus, search for computers on a network that are vulnerable to a certain exploit, use it to copy themselves onto that computer, but instead of using the inside access to DDoS another machine or wreak havok on the host network, it patches the flaw from the inside and destroys itself. Why don't cops and software companies do this? what about infosec companies like symantec? who knows more about viruses than symantec? they could totally pull it off, so why don't they?

Well, one reason not to let it onto your corporate network can be found by having a quick look at your firewall logs.

At the moment I'm getting in excess of one ping every 4 seconds from my subnet and several very close ones. There must be a shedload of ICMP traffic hammering away through my ISP right now. Imagine what would happen on a large network? Nasty.

On the other hand, a decent firewall should keep it at bay, and this will also likely fix most of the vulnerable PCs on the public internet.

My guesstimate on the ping pattern is that this is looking at working a range of maybe 2048 IP addresses centered around the infected PC. It's not quite the local subnet, but very close. This could mean some ISPs or corporate networks suffering under ICMP storms.

In other words, it's a mixed bag. I think it unintentionally comes with a payload which could cause problems on some networks.. on the other hand, those networks were probably struggling with MSBlast anyway.

Well as someone who had a lot of problems because of he MS DCOM/RPC patch I for one think that this virus should be considered malware and detected by antivirus vendors.

Looks like most AV vendors have already updated their signatures or are working on it.

I've *never* seen this much activity on my firewall before though. I'm making a bet that the Internet Storm Center - http://isc.incidents.org/ - will upgrade this to a yellow because of the risk on an ICMP/Ping storm.

Hi guys!

This reminds me of one about 3-4 years ago........cannot remember the name?...what we are looking at is a form of "reverse social engineering", plus, if the other crap is there...his doesn't work?


help me you memory men :D


There are NO "good" bad guys

I'm not sure there's much social engineering involved.. I'm pretty certain this is somebody trying to be a "white hat" but there's a couple of major flaws in this anti-worm..


Firstly, 1st January 2004 is waaaay too long. It would pick up most of the infected PCs if allowed to run for a couple of days. This appears to be a much more effective infector than MSBlast.

Secondly, the rate of infection is very high, and the scanning rate is very hight too. Because of the high level of effectiveness, this is causing a large number of infected hosts scanning very quickly. Indeed, on the first day, I'm getting twice as much firewall activity from Nachi as I am from MSBlast.

Those of you with long memories will remember the first Internet Worm back in 1988. Because you can never test something like this in the wild, it's difficult to know how to "throttle" the spread of the worm. Back in '88, the worm spread much more quickly and agressively than anticipates, and I'm afraid that with the infection rate of *this* worm, we may end up with something out of control. If it was just for a couple of days it wouldn't be so bad, but we're looking at a time period of four-and-a-half months of endless repetitive pinging.

In other words.. I think the anti-worm is a little buggy. A slower spread rate and shorter infection period would be nice. As to whether this is a *good* thing or not is hard to say. It'll clean up MSBlast pretty quickly. The damage it will do on the way is something I guess we'll find out.

Quote:

---

Originally posted here by dynamoo
I'm afraid that with the infection rate of *this* worm, we may end up with something out of control.

---

She swallowed the spider to catch the fly.

I don't know why she swallowed a fly.

Perhaps she'll die.

<joke>We need another 'white' worm that's only active for a couple of days, but spreads more aggressively, to fix the vunerable systems before this one does.</joke>

Steve

Not my normal heads up.... But then I normaly post Virii Warnings in the AntiVirus Forum.. Isn't that what it is for??

W32.Welchia.Worm

This is a Cat2 warning from Symantec.. BUT

Quote:

---

Wild: Low
Damage: Low
Distribution: Low

---

And the overview:

Quote:

---

W32.Welchia.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.

The worm will also attempt remove W32.Blaster.Worm.

---

and the last 3 points from the technical details:

Quote:

---

Attempts to connect to Microsoft's Windows Update and download the DCOM RPC vulnerability patch.

Once the update has been download and executed, the worm will reboot the computer so that the patch is installed.

Checks the computer's system date. If the date is January 1, 2004, the worm will disable itself.

---

BTW: the AKA List

Quote:

---

W32/Welchia.worm10240 [AhnLab]
W32/Nachi.worm [McAfee],
WORM_MSBLAST.D [Trend],
Lovsan.D [F-Secure]

---

Cheers

Symantec just upgraded W32.Welchia.Worm to a Category 4 "Due to an increase in submissions."

It exploits RPC/DCOM over port 135. Plus, the new twist to this one that I think warrants a brief mention is:

Quote:

---

exploits the WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit.

---

So, this worm can infect your machine over port 80 if you do not have the WevDAV exploit patched. It will then launch the command prompt and try and TFTP the RPC/DCOM patch.

Therefore, it could try and patch an already patched machine for RPC, if it gets in via WebDAV. But WebDAV stays unpatched.

I wonder why the virus writer only added the RPC patch; if you are gonna make it exploit WebDAV also, why not patch that one also? Heck, why not double the fun?

I'm in hiding.

If anyone see's msmittens or negative etc could you tell them to delete any reference to my robin hood antics before I get busted.

Mark: I was a little curious to see if you would show your face again for a while...... ;)

The word Doh springs to mind but I just have to get over that 400 post marker before I get mitnicked.

So, I fully expect postcards, brownies and stuff when I'm inside but I'm going to need to ask one of you guys to post here for me and I will write it on paper in future because I suspect I won't be allowed near a toaster far less a computer if I get this pinned on me.

If you look at the analyses, the new worm IS trying to hide itself, which is kind of strange by running itself as SVCHOST.EXE. I don't think you'd do that for a cleanup tool! I'm mighty suspicious now about the long lifespan. Hmmm.

I was wondering what was going to follow up MSBlast though.. we should count ourselves lucky that it's a cleanup worm rather than something that leverages the existing infected pool of machines for world domination etc.

Personally I think Skynet is to blame for this one. ;)

Lets not go down the skynet road again eh

http://www.antionline.com/showthread...&pagenumber=10

Lets just say someone thought it would be a good idea. (Wasn't me )

I would like to get my point accross that I didn't write this version. Although it does have some splendid charecteristics like mine. The version I wrote (Balerafon) has been destroyed and it was reporting back to a log file on my p.c via ftp at every step.

Unless it became self aware and decided to stop doing so ?

This worm was a great idea and in good faith even if it is causing a lot of traffic problems. However mark, I don't think it's yours' that's rampaging all over the Internet since I look at you as a much more careful and mindful person than that.

Heads up mark, take a little weight off, you might not get pinned for this one. It takes a lot to attach a worm to a person, well not a real one but a computer one.:) I think you will be ok.

Guidance...

Hang in there Mark! :)

Oh well to say the last few days have been busy and dah already had the patches. But the ping probes are a bit much at home at least. As for the correcting worm was a good concept on paper but enough viri taking advantage and add this and well someone has to do more planning before deployment. Never under estimate a good plan, ah well lets wait a few more weeks until the next flaw in M$ code. Hell they want to auto-update dah another service they will add to the OS, don't fix the root patch the hole.....and this is secure computing according to Bill..LOL damn he's still got the last laugh all the way to the bank!

Update when will the M$ legend and Myth END?

even though the nachi worm had good intentions, the execution ended up being more destructive than blaster. The US Navy suffered network failure on a grand scale due to the excessive network traffic of Nachi scanning for blaster on other machines over the network. The programmers intentions were noble, but his methods were wreckless. scanning for a virus over a network.. Hmm, that sounds like a good idea to impliment on a mass scale.

O.K O.K,

Fine it wasn't just as cool as we thought.

Can we let this forum drop off the end before I get busted Please.