Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Nachi.A

Aliases: Worm.Win32.Welchia, W32/Welchia, WORM_MSBLAST.D, Lovsan.D

Win32/Nachi.A works under Windows 2000 and XP operating systems and contracts Microsoft IIS as well. For propagation, it exploits the bug described at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp. Another bug that may be exploited by the worm is described at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp. The respective security patches are available at the aforementioned locations.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The inscription %system% represents the subdirectory System or System32 in the directory %windir%.

Win32/Nachi.A searches for computers vulnerable through the TCP port 135 or 80 by generating random IP addresses. Exploiting one of the aforementioned bugs, the worm ensures that its files are downloaded to the destination computer through FTP.

On the destination computer, the worm copies itself to the %system%/wins/ directory asdllhost.exe. In the %system%/wins/ directory, it creates the file svchost.exe. The worm's activation is ensured by creating keys in the registry. In the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services key, the entries RpcPatch and RpcTftpd are created.

Win32/Nachi.A terminates the process msblast and deletes the file %System%\msblast.exe. By doing so, the Win32/Lovsan.A worm is completely erradicated from the computer.

Win32/Nachi.A attempts to connect to Microsoft Windows Update and download the patch for the bug described at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp. After the patch has been downloaded successfully, it is executed and the computer restarted. This way Win32/Nachi.A prevents your computer from being infected by the Win32/Lovsan.A worm.

NOD32 detects the worm since version 1.487.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.