Manage updates with the Download App
By Robert Vamosi
This tries to patch the cause of MSBlast infections but leaves open another serious vulnerability
(8/19/03)
When is help not really help at all? When it's one Internet worm claiming to remove traces of another. Nachi (w32.nachi.a, also known as Welchia, worm_msblast.d, and Sachi) exploits the same Microsoft DCOM RPC Windows flaw as MSBlast, but it removes traces of that worm and even downloads the correct version-specific DCOM RPC patch to prevent further MSBlast infections on Windows 2000, NT 4.0, and XP systems. However, Nachi also scans other computers connected on a network, some that haven't been infected with MSBlast, and whether intentionally or not, it may crash those unpatched and uninfected systems while attempting to download the DCOM RPC patch. Needless to say, Nachi is not much help. In addition, in order to spread faster, Nachi takes advantage of an older Microsoft flaw, the WebDav buffer-overflow flaw, which it does not bother to patch. Because Nachi is spreading rapidly and may cause system crashes, it rates a 6 on the CNET Virus Meter.
How it works
Like MSBlast, Nachi does not arrive via e-mail but via Internet port 135. And, like MSBlast, it attacks Windows 2000 and Windows XP machines that do not have the DCOM RPC patch from Microsoft installed. When it attacks, the unpatched machine may crash--whether or not the machine has been previously infected with MSBlast.
Nachi installs two files in Windows subdirectory WinNT\system 32:
C:\winnt\system32\wins\dllhost.exe (10,240 bytes)
(Be aware that a legitimate file system name dllhost.exe also exists. The legitimate file is typically only 5-6 kB. )
C:\winnt\system32\wins\svchost.exe or tftpd.exe
This last file is the Trivial File Transfer Protocol used to download and install the DCOM RPC patches.
Additionally, Nachi uses the WebDav buffer-overflow flaw to spread to other Windows NT 4.0, 2000, and XP machines, but, ironically, it does not bother to patch this vulnerability.
Nachi is set to remove itself from infected machines on January 1, 2004.
Prevention
If you haven't already installed the DCOM RPC patch from Microsoft, do so now. Additionally, if you do not have a desktop firewall installed, you should consider installing one to avoid infection by either MSBlast or Nachi.
Removal
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure,McAfee, Norman, Panda, Sophos, Symantec, or Trend Micro.
