The Web    Google
Nachi Worm Exploits Security Hole in Microsoft Windows

Nachi Worm Exploits Security Hole in Microsoft Windows
February 12, 2004

Several antivirus vendors issued a high-level threat warning Thursday to computer users of a new variant of the Nachi worm (W32/Nachi-B) that attempts to remove infections of W32/MyDoom-A and W32/MyDoom-B, and download Microsoft security patches to unprotected computers.

Taking advantage of the same critical security hole in Microsoft Windows that was exploited by the Blaster worm, Nachi searches for unpatched computers, according to Sophos. Once located, it infects the computer without asking the user's permission and hunts for traces of the MyDoom worms. If a MyDoom infection is found, the Nachi-B worm attempts to remove it and download patches to fix the Microsoft vulnerability.

W32/Nachi-B spreads by exploiting the following Microsoft vulnerabilities:
--Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability.

Microsoft issued a patch for the vulnerability exploited by this worm on July 16, 2003. The patch is available from

--WebDAV vulnerability and IIS5/WEBDAV Buffer Overrun vulnerability Microsoft issued a patch for the vulnerability exploited by this worm on March 17, 2003. The patch is available from

When run the worm copies itself to the subfolder drivers located in the Windows system folder using the filename svchost.exe. The worm also tries to download and execute some of the following Microsoft patches: 3467c5ef1e9a/WindowsXP-KB828035-x86-CHS.exe 2c17dd4d7e59/WindowsXP-KB828035-x86-KOR.exe a34035dc181a/WindowsXP-KB828035-x86-ENU.exe 70087ccad56c/Windows2000-KB828749-x86-CHS.exe c26de0929513/Windows2000-KB828749-x86-KOR.exe 3bf9a915e6d9/Windows2000-KB828749-x86-ENU.exe

W32/Nachi-B checks every 20 minutes for a live Internet connection by attempting to connect to either, or and will attempt to infect random IP addresses if the connection was successful.

W32/Nachi-B will uninstall itself from June 2004.

More information is at Sophos page.

According to McAfee, W32/Nachi.worm.b exploits the MS03-026 / MS03-039 vulnerability (DCOM RPC), the MS03-007 vulnerability (NTDLL via WebDav), and the MS03-049 vulnerability (Workstation service). WksPatch_Mutex

The virus installs itself within a DRIVERS directory in the Windows System directory: C:\WINNT\SYSTEM32\DRIVERS\SVCHOST.EXE (12,800 bytes)
Please Note: There is a perfectly legitimate system file with filename SVCHOST.EXE in the WINDOWS SYSTEM directory with the same filesize.

The following service is installed:
WksPatch Set to run the installed copy of the worm (SVCHOST.EXE).

Visit this McAfee page for more information.

Nachi.B is a worm that affects Windows XP/2000/NT computers only, according to Panda Software. Nachi.B exploits the vulnerabilities Buffer Overrun in RPC Interface, WebDAV and Workstation Service Buffer Overrun in order to spread to as many computers as possible.

Nachi.B spreads by attacking remote computers and exploits the vulnerabilities mentioned above to download a copy of itself to the compromised computer. In order to do this, Nachi.B incorporates its own web server.

Nachi.B uninstalls the worms Mydoom.A and Mydoom.B, by ending their processes and deleting the files carrying the worms.

If you have a Windows XP/2000/NT computer, it is highly recommendable to download the security patches from the Microsoft Web site for the following vulnerabilities: Buffer Overrun in RPC Interface, WebDAV and Workstation Service Buffer Overrun.

Technical details are at this Panda Software page.

Mydoom Virus Now at High Outbreak Status

And the Mydoom virus has now escalated into a high outbreak, according to McAfee. A new variant of this virus has been discovered, the vendor reported Thursday. The file size is 24,048 bytes (petite packed). It is proactively detected as W32/Mydoom.a@MM using the above specified DATs. The functionality of this new variant is similar to the .a variant, except that the body of the email it sends out may contain the following:
ROFL HELLO SAM HOWS UPZ. Partial message is available

This is a mass-mailing and peer-to-peer file-sharing worm that bears the following characteristics:
contains its own SMTP engine to construct outgoing messages
contains a backdoor component
contains a Denial of Service payload

Read more at this McAfee page.

Deadhat Worm Also Targets Systems Infected With Mydoom Virus

Some antivirus vendors also issued medium-level threat alerts for Worm_Deadhat.B, a memory-resident worm that propagates on systems that are infected with WORM_MYDOOM.A and WORM_MYDOOM.B, according to Trend Micro. It is also capable of spreading via the popular peer-to-peer file-sharing application, SoulSeek.

It has the following capabilities:

  • Drop itself as the file MSGSVR32.EXE in the Windows system folder
  • Enumerate all running processes
  • Terminate processes associated with antivirus programs
  • Terminate instances of WORM_MYDOOM.A and WORM_MYDOOM.B
  • Delete several system files such as BOOT.INI and AUTOEXEC.BAT
  • Open port 2766, connect to an Internet Relay Chat (IRC) server, and joins a channel to wait for malicious commands from a remote user

    It runs on Windows 98, ME, NT, 2000, and XP.

    Technical details are at this Trend Micro page.

    Deadhat.B is a worm with destructive effects that spreads through the peer-to-peer (P2P) file sharing program SoulSeek and via Internet, according to Panda Software. Deadhat.B causes the affected computer to not start up correctly, as it deletes files that are vital to its functioning.

    Deadhat.B ends processes belonging to some antivirus programs and firewalls, among others. This leaves the computer vulnerable to the attack of other malware. It also ends the processes belonging to Mydoom.A and Mydoom.B.

    In addition, Deadhat.B opens the TCP port 2766, connects to an IRC server, and waits for control commands to be carried out on the affected computer. It allows to download files to the computer, using a remote connection.

    Technical details are atthis Panda Software page.

    Virus Attempts to Move .Exe Files to New Folder

    Sophos has also issued a warning for W32/Order-A, a companion virus that attempts to move EXE files into the \Fonts folder and overwrite the original file with itself. The files in the fonts folder will be called .chaos. The original extension will be lost.

    Note that files in the Fonts folder cannot be seen using Explorer but can be seen from the command prompt.

    W32/Order-A may drop a file called Chaos.txt which contains the following text:
    Do you believe in a god that satisfies
    Do you believe in a god that opens eyes
    Do you believe in a god that tells you lies
    Or do you believe in me?
    Do you believe in a god that brings you down
    Do you believe in a god that wears a crown
    Do you believe in a god that makes you bow
    Or do you believe in me?
    ~ Marco V - Godd
    [Chaos] created by Xevion

    The lyrics are from a song called "Godd" by Marco V, a DJ based in the Netherlands.

    More information is at this Sophos page.

    Welchia Worm Tries to Download, Install Patch From Microsoft Site

    W32.Welchia.B.Worm is a variant of W32.Welchia.Worm. If the operation system version of the infected machine is Chinese, Korean, or English, the worm attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then restart the computer. The worm also attempts to remove W32.Mydoom.A@mm and W32.Mydoom.B@mm worms. W32.Welchia.B.Worm exploits multiple vulnerabilities, including:

    The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.

    The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. The worm's use of this exploit will impact Windows 2000 systems and may impact Windows NT/XP systems.

    The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049).

    The presence of the file %windir%\system32\drivers\svchost.exe is an indication of possible infection.

    This threat is compressed with UPX.

    Technical details are at this Symantec page.

    --Compiled by Esther Shein

  • CERT, ArcSight Partner With 3 Universities On Security Sharing
  • Netsky-D Ranked as High Risk
  • AntiOnline Security Spotlight: Firewalls and Honeypots
  • 12/28: W97M.Dinela a Macro Virus
  • Locking Up All of That 'Free Information'
  • McAfee Taps Grid Power, Web Services To Boost Security
  • 6/14: Dansh.worm!irc an IRC Bot
  • WIDCOMM Bluetooth a Virus Risk
  • 11/1: Fakepatch-A an Elf Executable
  • 1/31: Unfunner-A Worm Moves Via MSN Messenger
  • 11/11: Masteq-H Trojan Runs Silently
  • Security Camera Articles