W32/Nachi.A
Threat risk
|
Detection files published:
18 Aug 2003 |
Description created:
2003-08-18 |
Description updated:
2003-08-29 |
|
Alias:
WORM_MSBLAST.D, W32.Welchia.Worm |
Spreading mechanism
Network | |
|
Payload:
| ||
Summary
This is network worm that uses the DCOM RPC and WebDAV vulnerabilities to spread.Spreading description
When this worm is executed, it will first check whether it is slready running by attempting to create a Mutex called "RpcPatch_Mutex".
If this succeeds it copies the Trivial FTP Server TFTPD.EXE from [SYSDIR]dllcache to [SYSDIR]WINSSVCHOST.EXE and registers this as a service.
It continues to register the worm file itself as a service on the infected machine under the name [SYSDIR]WINSDLLHOST.EXE.
The worm looks for and terminates any process if finds by the name of "msblast", and deletes any file by the name "msblast.exe" in the Windows system directory. This effectively cleans infections by the W32/Blaster.A worm.
If the year is 2004 or higher it quits at this point, removes the installed services, and terminates. However, the worm tests whether the time is exactly 2004; so it will start functioning again in 2005.
At this point it will start its spreading routines, of which there are two:
- One exploiting the WebDAV vulnerability - MS03-007
- One exploiting the DCOM RPC vulnerability- MS03-026
The worm will also attempt to download and install patches to close the DCOM RPC security hole.
Removal
The worm is detected using definition files from 18 August 2003 or later. To completely remove the worm and make sure that your computer is not vulnerable to similar malware in the future you should:
Download and install Microsoft patches MS03-026 and MS03-007 (see links above). You may have to download these patches to a non-infected computer and bring them to your infected computer on a removable media like a floppy or a CD.
Run Norman Malware Cleaner as described below.
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Utilisation | Titre | Commentaire |
|---|---|---|
| Stopper la propagation des virus sur les partages réseau | ||
| Cleaning of back-up folders on Windows Me and XP |
