Re: ? Nachi-worm over

From: A (anonymous_at_discussions.microsoft.com)
Date: 01/20/04


Date: Tue, 20 Jan 2004 04:27:57 -0800

Take it elsewhere. This a technical support newsgroup, not
a chatroom.

>-----Original Message-----
>Paul !
>Wow long time no see (or hear !) How are you doing ? Good
to see you around.
>Still taking any photos ?
>
>--
>Tedd Riggs
>PDA Square Content Developer
>www.pdasquare.com
>
>
>"Paul [MSFT]" <pauly@online.microsoft.com> wrote in
message
>news:3cr4$$u3DHA.1512@cpmsftngxa07.phx.gbl...
>>
>> Hi Alec,
>>
>> Regarding your post:
>>
>> --------------------
>> | From: "Alec Soroudi" <a@a.com>
>> | Subject: ? Nachi-worm over
>> | Date: Mon, 5 Jan 2004 11:23:12 -0500
>> |
>> | Hi,
>> |
>> | Well it's 2004 and the Nachi.worm should have
deleted itself.
>> However,
>> | I have heard reports from people that they are still
infected. I have
>> | completed my batch file to remove the Nachi.worm. I
really, really hate
>> | this thing since if you start a clean install of
Windows on a clean hard
>> | drive, then by the time the install is done and you
see the desktop for
>> the
>> | first time, you are already infected (with an always-
on-Internet
>> | connection). Plus the worm tries to make you think
that it's part of
>> | Windows.
>> |
>> | Anyway, I finally got around to writing the batch
file in about 15
>> | minutes this morning when I got another email from
someone asking me how
>> | they can remove it. I've attached it here as a zip
file. Since it's a
>> | batch file, it's plain text and you can look at what
it does. This is
>> good
>> | since you can also learn a few details about the
Nachi.worm: 2 files in
>> | windows\system32: SVCHOST.EXE and DLLHOST.EXE, and 2
services associated
>> | them those files: RpcPatch and RpcTftpd. The batch
file removes the
>files
>> | and the services.
>> | HTH
>> | --
>> | Alec S.
>> | alec @ synetech . cjb . net
>> |
>>
>> Microsoft has taken steps recently to assist all
connected clients remove
>> Blaster/Nachi related worm files on infected systems.
>>
>> Please review the following:
>>
>> 833330 A tool is available to remove Blaster worm and
Nachi worm
>infections
>> http://support.microsoft.com/?id=833330
>>
>> Blaster Worm FAQ:
>> http://www.microsoft.com/security/incident/blast_faq.asp
>>
>> Blaster Worm Security Bulletin:
>> http://www.microsoft.com/security/incident/blast.asp
>>
>> 826955 Virus Alert About the Blaster Worm and Its
Variants
>> http://support.microsoft.com/?id=826955
>>
>> 826234 Virus Alert About the Nachi Worm
>> http://support.microsoft.com/?id=826234
>>
>> =========
>>
>> This posting is provided "AS IS" with no warranties,
and confers no
>rights.
>>
>> Windows XP Security Homepage:
>> http://www.microsoft.com/windowsxp/security/default.asp
>>
>> Windows 2000 Security Homepage:
>>
http://www.microsoft.com/windows2000/security/default.asp
>>
>> Top 10 Windows Newsgroups Security Questions:
>>
>http://www.microsoft.com/technet/newsgroups/default.asp?
url=/technet/newsgro
>> ups/nodepages/sectop10.asp
>>
>> =========
>> Paul Hayes, MCSE
>> Product Support Services
>> Microsoft Corporation
>> pauly@online.microsoft.com
>>
>
>
>---
>Outgoing mail is certified Virus Free.
>Checked by AVG anti-virus system (http://www.grisoft.com).
>Version: 6.0.562 / Virus Database: 354 - Release Date:
1/16/04
>
>
>.
>



Relevant Pages

  • Svchost.exe Application error
    ... I had this a while ago - it's caused by a worm. ... A Buffer Overrun in RPCSS Could Allow an Attacker ... Nachi worm, click the following article numbers to view the ... 826955 Virus alert about the Blaster worm and its variants ...
    (microsoft.public.win2000.general)
  • Re: New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm
    ... >> A new worm has also been discovered that exploits the MSRPC DCOM ... >> vulnerability that is not related to the MS Blast variants. ... >> exploiting the WebDAV vulnerability in Microsoft's IIS 5 Web Server. ... >> The Nachi worm is technically superior to its predecessors. ...
    (alt.computer.security)
  • New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm
    ... New variants of the MS Blast worm have been detected in the wild. ... exploiting the WebDAV vulnerability in Microsoft's IIS 5 Web Server. ... The Nachi worm will infect vulnerable Windows XP machines using ...
    (alt.computer.security)
  • Re: terminating the RPC service
    ... Virus Alert About the W32.Blaster.Worm Worm ... Windows must shut down because> the Remote Procedure Call was terminated unexpextdedly. ...
    (microsoft.public.sqlserver.security)
  • Re: New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm
    ... New variants of the MS Blast worm have been detected in the wild. ... > exploiting the WebDAV vulnerability in Microsoft's IIS 5 Web Server. ... The Nachi worm will infect vulnerable Windows XP machines using ...
    (alt.computer.security)