Nachi Worm

[steve.milner]

Originally posted here by dynamoo
I'm afraid that with the infection rate of *this* worm, we may end up with something out of control.

She swallowed the spider to catch the fly.

I don't know why she swallowed a fly.

Perhaps she'll die.

<joke>We need another 'white' worm that's only active for a couple of days, but spreads more aggressively, to fix the vunerable systems before this one does.</joke>

Steve

[Und3ertak3r]

Not my normal heads up.... But then I normaly post Virii Warnings in the AntiVirus Forum.. Isn't that what it is for??

W32.Welchia.Worm

This is a Cat2 warning from Symantec.. BUT

Wild: Low
Damage: Low
Distribution: Low

And the overview:

W32.Welchia.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.

The worm will also attempt remove W32.Blaster.Worm.

and the last 3 points from the technical details:

Attempts to connect to Microsoft's Windows Update and download the DCOM RPC vulnerability patch.

Once the update has been download and executed, the worm will reboot the computer so that the patch is installed.

Checks the computer's system date. If the date is January 1, 2004, the worm will disable itself.

BTW: the AKA List

W32/Welchia.worm10240 [AhnLab]
W32/Nachi.worm [McAfee],
WORM_MSBLAST.D [Trend],
Lovsan.D [F-Secure]

Cheers

[omalakai]

Symantec just upgraded W32.Welchia.Worm to a Category 4 "Due to an increase in submissions."

It exploits RPC/DCOM over port 135. Plus, the new twist to this one that I think warrants a brief mention is:

exploits the WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit.

So, this worm can infect your machine over port 80 if you do not have the WevDAV exploit patched. It will then launch the command prompt and try and TFTP the RPC/DCOM patch.

Therefore, it could try and patch an already patched machine for RPC, if it gets in via WebDAV. But WebDAV stays unpatched.

I wonder why the virus writer only added the RPC patch; if you are gonna make it exploit WebDAV also, why not patch that one also? Heck, why not double the fun?

[mark_boyle2002]

I'm in hiding.

If anyone see's msmittens or negative etc could you tell them to delete any reference to my robin hood antics before I get busted.

[Tiger Shark]

Mark: I was a little curious to see if you would show your face again for a while......

[mark_boyle2002]

The word Doh springs to mind but I just have to get over that 400 post marker before I get mitnicked.

So, I fully expect postcards, brownies and stuff when I'm inside but I'm going to need to ask one of you guys to post here for me and I will write it on paper in future because I suspect I won't be allowed near a toaster far less a computer if I get this pinned on me.

[dynamoo]

If you look at the analyses, the new worm IS trying to hide itself, which is kind of strange by running itself as SVCHOST.EXE. I don't think you'd do that for a cleanup tool! I'm mighty suspicious now about the long lifespan. Hmmm.

I was wondering what was going to follow up MSBlast though.. we should count ourselves lucky that it's a cleanup worm rather than something that leverages the existing infected pool of machines for world domination etc.

Personally I think Skynet is to blame for this one.

[mark_boyle2002]

Lets not go down the skynet road again eh

http://www.antionline.com/showthread...&pagenumber=10

Lets just say someone thought it would be a good idea. (Wasn't me )

I would like to get my point accross that I didn't write this version. Although it does have some splendid charecteristics like mine. The version I wrote (Balerafon) has been destroyed and it was reporting back to a log file on my p.c via ftp at every step.

Unless it became self aware and decided to stop doing so ?

[cutty]

This worm was a great idea and in good faith even if it is causing a lot of traffic problems. However mark, I don't think it's yours' that's rampaging all over the Internet since I look at you as a much more careful and mindful person than that.

Heads up mark, take a little weight off, you might not get pinned for this one. It takes a lot to attach a worm to a person, well not a real one but a computer one. I think you will be ok.

Guidance...

[SDK]

Hang in there Mark!