Re: New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm
From: R Green -WoWsat.com (wow_at_wowsat.com)
Date: 08/19/03
- Next message: news.planet.nl: "Re: Computer Security"
- Previous message: Lord Shaolin: "New Sobig variation on the loose W32/Sobig.F-mm"
- In reply to: Lord Shaolin: "New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm"
- Next in thread: J. Reilink: "Re: New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm"
- Reply: J. Reilink: "Re: New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm"
- Reply: John Tate: "Re: New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 19 Aug 2003 16:01:53 GMT
Wouldn't be surprised if Microsoft had released this worm in an effort to
protect their own arse (ie. the windowsupdate site)..
R Green
Technical Support
--------------------------
WoWsat.com
--------------------------
"Lord Shaolin" <abuse@127.0.0.1> wrote in message
news:vk3p2fsf5c01f9@corp.supernews.com...
> Info from: http://www.security-forums.com/forum/viewtopic.php?t=7631
>
> Synopsis:
> UPDATED: New variants of the MS Blast worm have been detected in the wild.
> A new worm has also been discovered that exploits the MSRPC DCOM
> vulnerability that is not related to the MS Blast variants. This new worm
> has been labeled "Nachi", and also labeled incorrectly as a LovSan.D. The
> Nachi worm has improved scanning logic, feature improvements, and auto-
> patching functionality. It also propagates by an additional exploit
vector,
> exploiting the WebDAV vulnerability in Microsoft's IIS 5 Web Server.
>
> Impact:
> UPDATED: The Nachi worm will infect vulnerable Windows XP machines using
> the same exploit used by the MS Blast worm family. The main difference
> between Nachi and MS Blast, is that Nachi will remove and disable MS Blast
> infections that it encounters, and download and install the correct MSRPC
> DCOM patch from Microsoft. This action will permanently close the MSRPC
> DCOM vulnerability. The Nachi worm will not patch the WebDAV vulnerability
> on Windows 2000 Servers.
>
> Description:
> UPDATED: Nachi Worm
> The Nachi worm is technically superior to its predecessors. Its scanning
> logic is more robust, it has the ability to propagate more quickly and it
> will clean computers infected with MS Blast. It contains an additional
> exploit
> vector which exploits Microsoft IIS 5.0 via WebDAV. The Nachi worm seems
to
> have
> been designed for benevolent purposes only. There is no viral or DDoS
> payload. Expanded technical details are included below:
>
> From ISS - http://xforce.iss.net/xforce/alerts/id/150
>
> Full info from Symantec:
> http://www.sarc.com/avcenter/venc/data/w32.welchia.worm.html
>
> Removal tool:
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
>
> Original Blaster info:
> http://www.security-forums.com/forum/viewtopic.php?t=7474
>
> Cheers
>
> --
>
> -+ Shaolin +-
> Discard what is useless, absorb what is not and
> add what is uniquely your own.
>
> .: http://www.security-forums.com :.
>
>
>
- Next message: news.planet.nl: "Re: Computer Security"
- Previous message: Lord Shaolin: "New Sobig variation on the loose W32/Sobig.F-mm"
- In reply to: Lord Shaolin: "New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm"
- Next in thread: J. Reilink: "Re: New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm"
- Reply: J. Reilink: "Re: New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm"
- Reply: John Tate: "Re: New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
