high
Summary
Summary
Action- More Information
| Protection available since | 27 February 2004 16:49:24 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Nachi-D is a worm which spreads to computers at random IP addresses that are infected with W32/MyDoom-A or are vulnerable to the following Microsoft buffer overflow vulnerabilities: DCOM RPC, WebDAV, IIS5/WEBDAV and Locator Service.
For further information see Microsoft Security Bulletins MS03-026, MS03-007 and MS03-049.
The worm connects to random IP addresses on port 135 or 445 and exploits these buffer-overflow vulnerabilities to execute a small amount code on computers that have not been patched. The buffer overflow code downloads the worm and runs it. The worm allows itself to be downloaded via a random port above 1024.
The worm spreads to computers at random IP addresses that are infected with W32/MyDoom-A via a backdoor component installed by W32/MyDoom-A that provides access on port 3127.
When first run the worm copies itself to <SYSTEM>\drivers\svchost.exe and creates a new service named WksPatch with the Startup Type set to Automatic, so that the service is run automatically each time Windows is started.
The display name of the new service is created by randomly combining one word from each of the following 3 lists:
"System", "Security", "Remote", "Routing", "Performance", "Network", "License"
or "Internet"
"logging", "Manager", "Procedure", "Accounts" or "Event"
"provider", "sharing", "Messaging" or "Client"
For example: "System logging provider".
The worm tries to disable selected known malware by deleting files in the Windows System folder named intrenat.exe, Regedit.exe, shimgapi.dll, cftmon.dll, Explorer.exe or TaskMon.exe and by deleting the following registry entries (if they exist):
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Gremlin
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Nerocheck
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Shimgapi.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
The worm deletes a service named RpcPatch (if it exists) and creates the following registry entry if it doesn't already exist:
HKCR\CLSID(E6FB5E20-DE35-11CF-9C87-00AA005127ED)\InProcServer32 = "<SystemRoot>\System32\webcheck.dll"
If the above registry entry was not already set, the worm creates a new 'clean' version of the HOSTS file located at <SYSTEM>\drivers\etc\hosts. The new HOSTS file simply contains an entry for localhost set to the loopback address of 127.0.0.1.
The worm may also try to download and install the latest service packs for Windows 2000 and Windows XP, if they haven't already been installed.
On some language versions of Windows the worm replaces files with an extension of ASP, HTM, PHP, CGI, STM, SHTM or SHTML, located in the <WINDOWS>\help\iishelp\common folder, or in the folder specified by the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\
The replacement file is a harmless HTML file containing the text "LET HISTORY TELL FUTURE !".
When the worm is run after July 2004 it will remove itself from the computer.
|
