high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 5 August 2004 08:28:48 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Download and install the Microsoft patches mentioned. On standalone computers, update with all relevant security patches from Windows update.
More Information
W32/Nachi-K is a worm which spreads to computers at random IP addresses which have already been compromised due to the W32/MyDoom worm(s).
W32/Nachi-K will exploit the following vunerabilities:
- Remote Procedure Call - DCOM Vulnerability.
- IIS5/WEBDAV Buffer Overrun Vulnerability.
- MS Workstation Service Vulnerability.
- Locator Service Vulnerability.
W32/Nachi-K may also try to download and install several service packs for Windows 2000 and Windows XP, if they haven't already been installed:
http://download.microsoft.com/download/9/c/5/
9c579720-63e9-478a-bdcb-70087ccad56c/Windows2000-KB828749-x86-CHS.exe
http://download.microsoft.com/download/0/8/4/
084be8b7-e000-4847-979c-c26de0929513/Windows2000-KB828749-x86-KOR.exe
http://download.microsoft.com/download/3/c/6/
3c6d56ff-ff8e-4322-84cb-3bf9a915e6d9/Windows2000-KB828749-x86-ENU.exe
http://download.microsoft.com/download/4/d/3/
4d375d48-04c7-411f-959b-3467c5ef1e9a/WindowsXP-KB828035-x86-CHS.exe
http://download.microsoft.com/download/a/4/3/
a43ea017-9abd-4d28-a736-2c17dd4d7e59/WindowsXP-KB828035-x86-KOR.exe
http://download.microsoft.com/download/e/a/e/
eaea4109-0870-4dd3-88e0-a34035dc181a/WindowsXP-KB828035-x86-ENU.exe
W32/Nachi-K will copy itself to %SYSTEM%\drivers\SVCHOST.EXE. W32/Nachi-K is a worm which spreads to computers at random IP addresses that are infected with the W32/MyDoom worms and are vulnerable to the following Microsoft buffer overflow vulnerabilities:
- Remote Procedure Call - DCOM Vulnerability.
- IIS5/WEBDAV Buffer Overrun Vulnerability.
- MS Workstation Service Vulnerability.
- Locator Service Vulnerability.
For further information see Microsoft Security Bulletins:
Microsoft Security Bulletin MS03-001
Microsoft Security Bulletin MS03-007
Microsoft Security Bulletin MS03-039
Microsoft Security Bulletin MS03-049
The worm connects to random IP addresses on port 135 or 445 and exploits these buffer-overflow vulnerabilities to execute a small amount of code on computers that have not been patched. The buffer overflow code downloads the worm and runs it. The worm allows itself to be downloaded via a random port above 1024.
The worm spreads to computers at random IP addresses that are infected with the W32/MyDoom worms via a backdoor component installed by these worms that provide
access on TCP ports.
When first run the worm copies itself to %SYSTEM%\drivers\SVCHOST.EXE and creates a new service named WksPatch with the Startup Type set to Automatic, so that the service is run automatically each time Windows is started.
W32/Nachi-K may test for the existence of an Internet connection by performing a DNS query using the following domain names:
intel.com
microsoft.com
www.google.com
The display name of the new service is created by randomly combining one word from each of the following 3 lists:
"System", "Security", "Remote", "Routing", "Performance", "Network", "License"
or "Internet".
"Logging", "Manager", "Procedure", "Accounts" or "Event".
"Provider", "Sharing", "Messaging" or "Client".
For example: "Internet Manager Client".
The worm tries to disable selected known malware by deleting files in the Windows System folder named shimgapi.dll, cftmon.dll, regedit.exe or intrenat.exe.
The worm deletes a service named RpcPatch (if it exists) and creates the following registry entry if it doesn't already exist:
HKCR\CLSID\(E6FB5E20-DE35-11CF-9C87-00AA005127ED)\InProcServer32\
= "%SystemRoot%\System32\webcheck.dll"
If the above registry entry was not already set, the worm creates a new 'clean' version of the HOSTS file located at %SYSTEM%\drivers\etc\hosts. The new HOSTS file simply contains an entry for localhost set to the loopback address of 127.0.0.1.
W32/Nachi-K may also try to download and install several service packs for Windows 2000 and Windows XP, if they haven't already been installed:
http://download.microsoft.com/download/9/c/5/9c579720-63e9-478a-bdcb-70087ccad56c/Windows2000-KB828749-x86-CHS.exe
http://download.microsoft.com/download/0/8/4/084be8b7-e000-4847-979c-c26de0929513/Windows2000-KB828749-x86-KOR.exe
http://download.microsoft.com/download/3/c/6/3c6d56ff-ff8e-4322-84cb-3bf9a915e6d9/Windows2000-KB828749-x86-ENU.exe
http://download.microsoft.com/download/4/d/3/4d375d48-04c7-411f-959b-3467c5ef1e9a/WindowsXP-KB828035-x86-CHS.exe
http://download.microsoft.com/download/a/4/3/a43ea017-9abd-4d28-a736-2c17dd4d7e59/WindowsXP-KB828035-x86-KOR.exe
http://download.microsoft.com/download/e/a/e/eaea4109-0870-4dd3-88e0-a34035dc181a/WindowsXP-KB828035-x86-ENU.exe
This worm may delete the registry entries:
HKLM\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB828749
HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB828035
HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB828035
On some language versions of Windows the worm replaces files with an extension of ASP, HTM, HTML, PHP, CGI, STM, SHTM or SHTML, located in the %WINDOWS%\help\iishelp\common folder or in the folder specified by the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\
The replacement file is a harmless HTML file containing the text
"LET HISTORY TELL FUTURE !".
|
