W32/Nachi-A

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: Several Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Nachi-A is a worm that spreads using the RPC DCOM vulnerability in a similar fashion to the W32/Blaster-A worm.

Microsoft issued a patch for the vulnerability exploited by this worm on July 16, 2003. The patch is available from http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.

The worm also attempts to spread using a buffer overflow exploit for ntdll.dll library in several versions of Microsoft Windows. The exploit is attempted through a Search request of the WebDAV protocol.

Microsoft issued a patch for the vulnerability exploited by this worm on March 17, 2003. The patch is available from http://www.microsoft.com/technet/security/bulletin/MS03-007.asp.

W32/Nachi-A uses two files, dllhost.exe (10,240 bytes) and svchost.exe (19,728 bytes). Dllhost.exe is the main worm component and svchost.exe is a standard TFTP (Trivial File Transfer Protocol) server that is only used by the worm to transfer itself from a source to a target machine.

When the worm is run, it copies itself into the &ltWindows System&gt\Wins folder as dllhost.exe and uses the Windows Service Control Manager to create new Windows Services. The services RpcPatch and RpcTftpd are created.

RpcPatch, with the description "Network Connections Sharing", runs the copy of the worm and RpcTftpd, with the description "WINS Client", runs the accompanying TFTP server.

The worm then scans the network for computers on which to execute exploits.
An ICMP Ping packet is sent first to check if a host is online. The Ping packet is followed by a WebDAV search request or an RPC DCOM exploit. If the exploit is sucessful W32/Nachi-A uses tftp.exe to copy the worm files from the source system.

Once the system is infected, W32/Nachi-A attempts to download and run security patches from the Microsoft's update websites. Depending on the operating system language W32/Nachi-A chooses the download URL from the following list:

http://download.microsoft.com/download/6/9/5/6957d785-fb7a-4ac9-b1e6-
cb99b62f9f2a/Windows2000-KB823980-x86-KOR.exe

http://download.microsoft.com/download/6/9/5/6957d785-fb7a-4ac9-b1e6-
cb99b62f9f2a/Windows2000-KB823980-x86-KOR.exe

http://download.microsoft.com/download/5/8/f/58fa7161-8db3-4af4-b576-
0a56b0a9d8e6/Windows2000-KB823980-x86-CHT.exe

http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-
b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe

http://download.microsoft.com/download/e/3/1/e31b9d29-f650-4078-8a76-
3e81eb4554f6/WindowsXP-KB823980-x86-KOR.exe

http://download.microsoft.com/download/2/3/6/236eaaa3-380b-4507-9ac2-
6cec324b3ce8/WindowsXP-KB823980-x86-CHT.exe

http://download.microsoft.com/download/a/a/5/aa56d061-3a38-44af-8d48-
85e42de9d2c0/WindowsXP-KB823980-x86-CHS.exe

http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-
b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe

If the security patch is successfully downloaded W32/Nachi-A attempts to restart the system.

When the main service routine is launched, W32/Nachi-A checks for the existence of the process name and the filename of W32/Blaster-A. If the process exists W32/Nachi-A attempts to terminate it and to remove the file.

W32/Nachi-A removes itself from the system if the system date is 1 January 2004 or later.

The worm contains the following text which does not get displayed:

=========== I love my wife & baby :)~~~ Welcome Chian~~~ Notice: 2004 will remove myself:)~~ sorry zhongli~~~=========== wins