W32/Nachi Last Updated 8/19/03 11:04am

A new worm, W32/Nachi.worm is spreading in the wild. The worm takes advantage of the Microsoft DCOM RPC vulnerability (see "What's New") and the WebDav vulnerability (see Security Bulletin MS03-007). Presently the worm's actions appears to be replication and the installation of a trojan horse. In addition, the replication attempts are causing an effective denial of service (DoS) due to the large amount of ICMP network traffic it generates. Despite being labeled as a good worm in the media, Nachi is engineered to maintain ownership of any hosts it compromises.

The worm appears to remove the vulnerability that it used to gain access. This is done to ensure that no future worms can deinstall this worm using the vulnerabilities. It then listens on TCP port 707 for commands to the trojan horse it installs. see "What's New" regarding patch information.

The worm copies itself to the WINS subdirectory of the default Windows system directory (e.g. C:\Windows\System32\WINS) as dllhost.exe and creates a copy of TFTP.EXE as files Svchost.exe.

NAI detects W32/Nachi.Worm with the 4287 Dat/SuperDat. NAI will detect/remove W32/Nachi.Worm with the 4287 Dat/SuperDat. The 4287 DAT/SuperDat is now available.

Symantec Antivirus definitions Dated 08-19-2003 or later detect and remove W32/Nachi worm. Use the Symantec (Norton) LiveUpdate feature of Symantec Antvirus to update your software.

The Nachi/Blaster (Stinger.exe) removal tool is available here (Stinger version 1.8.3)

More information will be posted as it becomes available.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.