W32/Nachi-B

Aliases	W32/Welchia.B.Worm Welchi.B W32/Nachi.B W32/Nachi.worm.b
Category	Viruses and Spyware
Type	Worm
What to do	Please contact support for assistance with removal.
Prevalence	low high

Summary

Summary
Action
More Information


Included in our products from	April 2004 (3.80)
Protection available since	12 February 2004 03:53:20 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please read the instructions for removing W32/Nachi-B.

More Information

Summary
Action
More Information

W32/Nachi-B is a worm that attempts to remove files associated with the W32/MyDoom-A and W32/MyDoom-B worms.

W32/Nachi-B spreads by exploiting the following Microsoft vulnerabilities:

- Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability

Microsoft issued a patch for the vulnerability exploited by this worm on July 16, 2003. The patch is available from http://www.microsoft.com/technet/security/bulletin/MS03-026.asp. MS03-026 has been superseded by Microsoft security bulletin MS03-039.

- WebDAV vulnerability and IIS5/WEBDAV Buffer Overrun vulnerability

Microsoft issued a patch for the vulnerability exploited by this worm on March 17, 2003. The patch is available from http://www.microsoft.com/technet/security/bulletin/MS03-007.asp.

When run the worm copies itself to the subfolder drivers located in the Windows system folder using the filename svchost.exe. The worm also tries to download and execute some of the following Microsoft patches:

http://download.microsoft.com/download/4/d/3/4d375d48-04c7-411f-959b-
3467c5ef1e9a/WindowsXP-KB828035-x86-CHS.exe

http://download.microsoft.com/download/a/4/3/a43ea017-9abd-4d28-a736-
2c17dd4d7e59/WindowsXP-KB828035-x86-KOR.exe

http://download.microsoft.com/download/e/a/e/eaea4109-0870-4dd3-88e0-
a34035dc181a/WindowsXP-KB828035-x86-ENU.exe

http://download.microsoft.com/download/9/c/5/9c579720-63e9-478a-bdcb-
70087ccad56c/Windows2000-KB828749-x86-CHS.exe

http://download.microsoft.com/download/0/8/4/084be8b7-e000-4847-979c-
c26de0929513/Windows2000-KB828749-x86-KOR.exe

http://download.microsoft.com/download/3/c/6/3c6d56ff-ff8e-4322-84cb-
3bf9a915e6d9/Windows2000-KB828749-x86-ENU.exe

W32/Nachi-B checks every twenty minutes for a live internet connection by attempting to connect to either microsoft.com, intel.com or google.com and will attempt to infect random IP addresses if the connection was successful.

W32/Nachi-B will uninstall itself from June 2004.

W32/Nachi-B may overwrite files with extensions SHTML, SHTM, STM, CGI, PHP, HTML, HTM and ASP with an HTML file containing the following text:

LET HISTORY TELL FUTURE !

1931.9.18
1937.7.7
1937.12.13 300,000 !

1941.12.7
1945.8.6 Little boy
1945.8.9 Fatso

1945.8.15

Let history tell future !

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Nachi-B

Summary

Action

More Information