Virus Profile
Virus Information
Name: W32/Nachi.worm
Risk Assessment  
  - Home Users: Medium
  - Corporate Users: Medium
Date Discovered: 8/18/2003
Date Added: 8/18/2003
Origin: Unknown
Length: 10,240 bytes (UPXed)
Type: Virus
SubType: Internet Worm
DAT Required: 4286
Quick Links
Virus Characteristics
Indications of Infection
Method of Infection
Removal Instructions
Aliases
Buy or Update
New Users Get Protected Now:
Buy VirusScan Online
Update VirusScan Online
Virus Characteristics Back to Top

This detection is for another virus that exploits the MS03-026 vulnerability.

It is not related to the W32/Lovsan.worm.d variant described here.

The virus is detected by the current Daily DATs as Exploit-DcomRpc virus (with scanning of compressed files enabled).

Intentions of the worm
This worm tries spreads by exploiting a hole in Microsoft Windows. It instructs a remote target system to download and execute the worm from the infected host. Once running, the worm terminates and deletes the W32/Lovsan.worm.a process and applies the Microsoft patch to prevent other threats from infecting the system through the same hole. When the system clock reaches Jan 1, 2004, the worm will delete itself upon execution.

Installation
To ensure only one instance of the worm on the victim machine, a mutex of the following name is created:

RpcPatch_Mutex

The virus installs itself within a WINS directory in the Windows System directory:

C:\WINNT\SYSTEM32\WINS\DLLHOST.EXE (10,240 bytes)

The virus attempts to copy the TCP/IP trivial file transfer daemon (TFTPD.EXE) binary from the dllcache on the victim machine to this directory also, renaming it:

C:\WINNT\SYSTEM32\WINS\SVCHOST.EXE

Note: If TFTPD.EXE is not present on the target machine, this copy will fail. TFTPD.EXE only exists by default on specific OSes.

The following services are installed:

  1. RpcPatch Set to run the installed copy of the worm (DLLHOST.EXE)

    Display name: "WINS Client"

  2. RpcTftpd Set to run the copy of the TFTPD application (SVCHOST.EXE)

    Display name: "Network Connections Sharing"

Downloading of Patches
The worm carries links to various patches for the MS03-026 vulnerability:

  • http://download.microsoft.com/download/6/9/5/6957d785-fb7a-4ac9-b1e6-cb99b62f9f2a/Windows2000-KB823980-x86-KOR.exe
  • http://download.microsoft.com/download/5/8/f/58fa7161-8db3-4af4-b576-0a56b0a9d8e6/Windows2000-KB823980-x86-CHT.exe
  • http://download.microsoft.com/download/2/8/1/281c0df6-772b-42b0-9125-6858b759e977/Windows2000-KB823980-x86-CHS.exe
  • http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe
  • http://download.microsoft.com/download/e/3/1/e31b9d29-f650-4078-8a76-3e81eb4554f6/WindowsXP-KB823980-x86-KOR.exe
  • http://download.microsoft.com/download/2/3/6/236eaaa3-380b-4507-9ac2-6cec324b3ce8/WindowsXP-KB823980-x86-CHT.exe
  • http://download.microsoft.com/download/a/a/5/aa56d061-3a38-44af-8d48-85e42de9d2c0/WindowsXP-KB823980-x86-CHS.exe
  • http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe

The worm attempts to download and install one of these patches on the victim machine.

Removal of W32/Lovsan.worm.a
The worm also looks for and removes W32/Lovsan.worm.a from an infected system. It achieves this by targeting MSBLAST.EXE. (The process is terminated if running on the victim machine.) NB: The Registry hook employed by MSBLAST.EXE is not removed by the worm.

Self removal
When the system clock reaches Jan 1, 2004, the worm will delete itself upon execution.
Indications of Infection Back to Top
  • large volumes of ICMP traffic in network
  • existence of the files and Windows services detailed above
Method of Infection Back to Top

This worm spreads by exploiting a vulnerability in Microsoft Windows. It scans the local subnet (port 135) for target machines. It sends an ICMP packet to potential victim machines, and upon a reply, sends the exploit data. Victim machines are instructed to download the worm via TFTP.

Irrespective of anti-virus detection, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine will send packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine.

By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, in-turn solving these symptoms. It is very important that the machine is rebooted after the patch has been installed.
Removal Instructions Back to Top
Microsoft Patches
It is imperative that infected systems are patched prior to disinfecting a system. As for the W32/Lovsan.worm, some systems may be in a “crash loop” where each time the system is restarted, SVCHOST.EXE crashes and the user has 60 seconds before the system restarts. This action can continue to happen even after the virus is removed if the patch is not applied. It may be necessary to install/configure a firewall prior to downloading/installing this patch. Microsoft has outlined the necessary steps to address Windows issues when removing this virus. These actions should be taken prior to removing the virus (see below). The following EXTRA.DAT packages are available.
  • EXTRA.DAT - should be extracted to the same directory where CLEAN.DAT, NAMES.DAT, and SCAN.DAT are (typically C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx)
    or
  • SUPER EXTRA.DAT - EXTRA.DAT self installer
Sniffer Customers: The filter for W32/Lovsan.worm will detect W32/Nachi.worm traffic (Sniffer Distributed 4.3 and Sniffer Portable 4.7.5).

Detection is included in our DAILY DAT (beta) files and will also be included in the next weekly DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations
Aliases Back to Top
W32.Welchia.worm (NAV), WORM_MSBLAST.D (Trend)

Advertisement