Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Nachi.A


Destructivity NONE NONE
Detection files published 17 Aug 2003 03:00:00
Description created 18 Aug 2003 08:21:00
Description updated 29 Aug 2003 04:35:00
Malware type WORM
Spreading mechanism NETWORK
Summary None



When this worm is executed, it will first check whether it is slready running by attempting to create a Mutex called "RpcPatch_Mutex".

If this succeeds it copies the Trivial FTP Server TFTPD.EXE from [SYSDIR]dllcache to [SYSDIR]WINSSVCHOST.EXE and registers this as a service.

It continues to register the worm file itself as a service on the infected machine under the name [SYSDIR]WINSDLLHOST.EXE.

The worm looks for and terminates any process if finds by the name of "msblast", and deletes any file by the name "msblast.exe" in the Windows system directory. This effectively cleans infections by the W32/Blaster.A worm.

If the year is 2004 or higher it quits at this point, removes the installed services, and terminates. However, the worm tests whether the time is exactly 2004; so it will start functioning again in 2005.

At this point it will start its spreading routines, of which there are two:

- One exploiting the WebDAV vulnerability - MS03-007
- One exploiting the DCOM RPC vulnerability- MS03-026

The worm will also attempt to download and install patches to close the DCOM RPC security hole.

Payload Details





The worm is detected using definition files from 18 August 2003 or later. To completely remove the worm and make sure that your computer is not vulnerable to similar malware in the future you should: Download and install Microsoft patches MS03-026 and MS03-007 (see links above). You may have to download these patches to a non-infected computer and bring them to your infected computer on a removable media like a floppy or a CD. Run Lumension Malware Cleaner as described below.

Last Updated: 12 Nov 2015 11:06:10