Re: New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm
From: R Green -WoWsat.com (wow_at_wowsat.com)
Date: Tue, 19 Aug 2003 16:01:53 GMT
Wouldn't be surprised if Microsoft had released this worm in an effort to
protect their own arse (ie. the windowsupdate site)..
"Lord Shaolin" <email@example.com> wrote in message
> Info from: http://www.security-forums.com/forum/viewtopic.php?t=7631
> UPDATED: New variants of the MS Blast worm have been detected in the wild.
> A new worm has also been discovered that exploits the MSRPC DCOM
> vulnerability that is not related to the MS Blast variants. This new worm
> has been labeled "Nachi", and also labeled incorrectly as a LovSan.D. The
> Nachi worm has improved scanning logic, feature improvements, and auto-
> patching functionality. It also propagates by an additional exploit
> exploiting the WebDAV vulnerability in Microsoft's IIS 5 Web Server.
> UPDATED: The Nachi worm will infect vulnerable Windows XP machines using
> the same exploit used by the MS Blast worm family. The main difference
> between Nachi and MS Blast, is that Nachi will remove and disable MS Blast
> infections that it encounters, and download and install the correct MSRPC
> DCOM patch from Microsoft. This action will permanently close the MSRPC
> DCOM vulnerability. The Nachi worm will not patch the WebDAV vulnerability
> on Windows 2000 Servers.
> UPDATED: Nachi Worm
> The Nachi worm is technically superior to its predecessors. Its scanning
> logic is more robust, it has the ability to propagate more quickly and it
> will clean computers infected with MS Blast. It contains an additional
> vector which exploits Microsoft IIS 5.0 via WebDAV. The Nachi worm seems
> been designed for benevolent purposes only. There is no viral or DDoS
> payload. Expanded technical details are included below:
> From ISS - http://xforce.iss.net/xforce/alerts/id/150
> Full info from Symantec:
> Removal tool:
> Original Blaster info:
> -+ Shaolin +-
> Discard what is useless, absorb what is not and
> add what is uniquely your own.
> .: http://www.security-forums.com :.