Re: New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm

From: John Tate (exeleven_at_tpg.com.au)
Date: 08/21/03


Date: Thu, 21 Aug 2003 08:38:13 +1000

On Tue, 19 Aug 2003 16:01:53 +0000, R Green -WoWsat.com wrote:

> Wouldn't be surprised if Microsoft had released this worm in an effort to
> protect their own arse (ie. the windowsupdate site)..
It could well have been the same person who did blaster, so what if it
isnt viral or ddosing, maybe he just wanted to flood the internet with
crap. making it the third worm this year to do it, and all 3 being
Microsoft Products.

And they say they know security.
>
> R Green
> Technical Support
> --------------------------
> WoWsat.com
> --------------------------
>
> "Lord Shaolin" <abuse@127.0.0.1> wrote in message
> news:vk3p2fsf5c01f9@corp.supernews.com...
>> Info from: http://www.security-forums.com/forum/viewtopic.php?t=7631
>>
>> Synopsis:
>> UPDATED: New variants of the MS Blast worm have been detected in the wild.
>> A new worm has also been discovered that exploits the MSRPC DCOM
>> vulnerability that is not related to the MS Blast variants. This new worm
>> has been labeled "Nachi", and also labeled incorrectly as a LovSan.D. The
>> Nachi worm has improved scanning logic, feature improvements, and auto-
>> patching functionality. It also propagates by an additional exploit
> vector,
>> exploiting the WebDAV vulnerability in Microsoft's IIS 5 Web Server.
>>
>> Impact:
>> UPDATED: The Nachi worm will infect vulnerable Windows XP machines using
>> the same exploit used by the MS Blast worm family. The main difference
>> between Nachi and MS Blast, is that Nachi will remove and disable MS Blast
>> infections that it encounters, and download and install the correct MSRPC
>> DCOM patch from Microsoft. This action will permanently close the MSRPC
>> DCOM vulnerability. The Nachi worm will not patch the WebDAV vulnerability
>> on Windows 2000 Servers.
>>
>> Description:
>> UPDATED: Nachi Worm
>> The Nachi worm is technically superior to its predecessors. Its scanning
>> logic is more robust, it has the ability to propagate more quickly and it
>> will clean computers infected with MS Blast. It contains an additional
>> exploit
>> vector which exploits Microsoft IIS 5.0 via WebDAV. The Nachi worm seems
> to
>> have
>> been designed for benevolent purposes only. There is no viral or DDoS
>> payload. Expanded technical details are included below:
>>
>> From ISS - http://xforce.iss.net/xforce/alerts/id/150
>>
>> Full info from Symantec:
>> http://www.sarc.com/avcenter/venc/data/w32.welchia.worm.html
>>
>> Removal tool:
>>
> http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
>>
>> Original Blaster info:
>> http://www.security-forums.com/forum/viewtopic.php?t=7474
>>
>> Cheers
>>
>> --
>>
>> -+ Shaolin +-
>> Discard what is useless, absorb what is not and
>> add what is uniquely your own.
>>
>> .: http://www.security-forums.com :.
>>
>>
>>



Relevant Pages

  • New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm
    ... New variants of the MS Blast worm have been detected in the wild. ... exploiting the WebDAV vulnerability in Microsoft's IIS 5 Web Server. ... The Nachi worm will infect vulnerable Windows XP machines using ...
    (alt.computer.security)
  • Re: New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm
    ... New variants of the MS Blast worm have been detected in the wild. ... > exploiting the WebDAV vulnerability in Microsoft's IIS 5 Web Server. ... The Nachi worm will infect vulnerable Windows XP machines using ...
    (alt.computer.security)
  • Re: ? Nachi-worm over
    ... This a technical support newsgroup, ... Plus the worm tries to make you think ... >> 826955 Virus Alert About the Blaster Worm and Its ... >> 826234 Virus Alert About the Nachi Worm ...
    (microsoft.public.security.virus)
  • Svchost.exe Application error
    ... I had this a while ago - it's caused by a worm. ... A Buffer Overrun in RPCSS Could Allow an Attacker ... Nachi worm, click the following article numbers to view the ... 826955 Virus alert about the Blaster worm and its variants ...
    (microsoft.public.win2000.general)
  • Re: New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm
    ... New variants of the MS Blast worm have been detected in the wild. ... > exploiting the WebDAV vulnerability in Microsoft's IIS 5 Web Server. ...
    (alt.computer.security)