Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm

Reply
Thread Tools

New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm

 
 
Lord Shaolin
Guest
Posts: n/a
 
      08-19-2003
Info from: http://www.security-forums.com/forum...pic.php?t=7631

Synopsis:
UPDATED: New variants of the MS Blast worm have been detected in the wild.
A new worm has also been discovered that exploits the MSRPC DCOM
vulnerability that is not related to the MS Blast variants. This new worm
has been labeled "Nachi", and also labeled incorrectly as a LovSan.D. The
Nachi worm has improved scanning logic, feature improvements, and auto-
patching functionality. It also propagates by an additional exploit vector,
exploiting the WebDAV vulnerability in Microsoft's IIS 5 Web Server.

Impact:
UPDATED: The Nachi worm will infect vulnerable Windows XP machines using
the same exploit used by the MS Blast worm family. The main difference
between Nachi and MS Blast, is that Nachi will remove and disable MS Blast
infections that it encounters, and download and install the correct MSRPC
DCOM patch from Microsoft. This action will permanently close the MSRPC
DCOM vulnerability. The Nachi worm will not patch the WebDAV vulnerability
on Windows 2000 Servers.

Description:
UPDATED: Nachi Worm
The Nachi worm is technically superior to its predecessors. Its scanning
logic is more robust, it has the ability to propagate more quickly and it
will clean computers infected with MS Blast. It contains an additional
exploit
vector which exploits Microsoft IIS 5.0 via WebDAV. The Nachi worm seems to
have
been designed for benevolent purposes only. There is no viral or DDoS
payload. Expanded technical details are included below:

From ISS - http://xforce.iss.net/xforce/alerts/id/150

Full info from Symantec:
http://www.sarc.com/avcenter/venc/da...chia.worm.html

Removal tool:
http://securityresponse.symantec.com...oval.tool.html

Original Blaster info:
http://www.security-forums.com/forum...pic.php?t=7474

Cheers

--

-+ Shaolin +-
Discard what is useless, absorb what is not and
add what is uniquely your own.

.: http://www.security-forums.com :.



 
Reply With Quote
 
 
 
 
donut
Guest
Posts: n/a
 
      08-19-2003
"Lord Shaolin" <abuse@127.0.0.1> wrote in
news:(E-Mail Removed):

> The Nachi worm is technically superior to its predecessors. Its
> scanning logic is more robust, it has the ability to propagate more
> quickly and it will clean computers infected with MS Blast. It
> contains an additional exploit
> vector which exploits Microsoft IIS 5.0 via WebDAV. The Nachi worm
> seems to have
> been designed for benevolent purposes only.



What is to prevent that from changing, once the creator(s) have discovered
how effective it is?

As with any worm, scour, disallow, disinfect, and protect (first and
foremost.)
 
Reply With Quote
 
 
 
 
R Green -WoWsat.com
Guest
Posts: n/a
 
      08-19-2003
Wouldn't be surprised if Microsoft had released this worm in an effort to
protect their own arse (ie. the windowsupdate site)..

R Green
Technical Support
--------------------------
WoWsat.com
--------------------------

"Lord Shaolin" <abuse@127.0.0.1> wrote in message
news:(E-Mail Removed)...
> Info from: http://www.security-forums.com/forum...pic.php?t=7631
>
> Synopsis:
> UPDATED: New variants of the MS Blast worm have been detected in the wild.
> A new worm has also been discovered that exploits the MSRPC DCOM
> vulnerability that is not related to the MS Blast variants. This new worm
> has been labeled "Nachi", and also labeled incorrectly as a LovSan.D. The
> Nachi worm has improved scanning logic, feature improvements, and auto-
> patching functionality. It also propagates by an additional exploit

vector,
> exploiting the WebDAV vulnerability in Microsoft's IIS 5 Web Server.
>
> Impact:
> UPDATED: The Nachi worm will infect vulnerable Windows XP machines using
> the same exploit used by the MS Blast worm family. The main difference
> between Nachi and MS Blast, is that Nachi will remove and disable MS Blast
> infections that it encounters, and download and install the correct MSRPC
> DCOM patch from Microsoft. This action will permanently close the MSRPC
> DCOM vulnerability. The Nachi worm will not patch the WebDAV vulnerability
> on Windows 2000 Servers.
>
> Description:
> UPDATED: Nachi Worm
> The Nachi worm is technically superior to its predecessors. Its scanning
> logic is more robust, it has the ability to propagate more quickly and it
> will clean computers infected with MS Blast. It contains an additional
> exploit
> vector which exploits Microsoft IIS 5.0 via WebDAV. The Nachi worm seems

to
> have
> been designed for benevolent purposes only. There is no viral or DDoS
> payload. Expanded technical details are included below:
>
> From ISS - http://xforce.iss.net/xforce/alerts/id/150
>
> Full info from Symantec:
> http://www.sarc.com/avcenter/venc/da...chia.worm.html
>
> Removal tool:
>

http://securityresponse.symantec.com...oval.tool.html
>
> Original Blaster info:
> http://www.security-forums.com/forum...pic.php?t=7474
>
> Cheers
>
> --
>
> -+ Shaolin +-
> Discard what is useless, absorb what is not and
> add what is uniquely your own.
>
> .: http://www.security-forums.com :.
>
>
>



 
Reply With Quote
 
J. Reilink
Guest
Posts: n/a
 
      08-20-2003
R Green -WoWsat.com wrote:

> Wouldn't be surprised if Microsoft had released this worm in an effort to
> protect their own arse (ie. the windowsupdate site)..
>


Yeah, right... If you've read the article(s) you'd know that the worm does a
little more than patching the RPC DCOM hole. Among other things, it exploits
a vulnerability in NTDLL.DLL (MS03-007) and overwrites some files (such as
DLLHOST.EXE and SVCHOST.EXE).

--
Met vriendelijke groet / Best regards,
Jan Reilink
Dutch Security Information Network,
http://www.dsinet.org

 
Reply With Quote
 
Hkl뮮
Guest
Posts: n/a
 
      08-20-2003
Gee, wouldn't it be a great move for someone to write a DESTRUCTIVE virus
and name it "FixBlast" or "FixBlaster" so that people would PURPOSELY
download it!!!


"J. Reilink" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> R Green -WoWsat.com wrote:
>
> > Wouldn't be surprised if Microsoft had released this worm in an effort

to
> > protect their own arse (ie. the windowsupdate site)..
> >

>
> Yeah, right... If you've read the article(s) you'd know that the worm does

a
> little more than patching the RPC DCOM hole. Among other things, it

exploits
> a vulnerability in NTDLL.DLL (MS03-007) and overwrites some files (such as
> DLLHOST.EXE and SVCHOST.EXE).
>
> --
> Met vriendelijke groet / Best regards,
> Jan Reilink
> Dutch Security Information Network,
> http://www.dsinet.org
>



 
Reply With Quote
 
John Tate
Guest
Posts: n/a
 
      08-20-2003
On Tue, 19 Aug 2003 16:01:53 +0000, R Green -WoWsat.com wrote:

> Wouldn't be surprised if Microsoft had released this worm in an effort to
> protect their own arse (ie. the windowsupdate site)..

It could well have been the same person who did blaster, so what if it
isnt viral or ddosing, maybe he just wanted to flood the internet with
crap. making it the third worm this year to do it, and all 3 being
Microsoft Products.

And they say they know security.
>
> R Green
> Technical Support
> --------------------------
> WoWsat.com
> --------------------------
>
> "Lord Shaolin" <abuse@127.0.0.1> wrote in message
> news:(E-Mail Removed)...
>> Info from: http://www.security-forums.com/forum...pic.php?t=7631
>>
>> Synopsis:
>> UPDATED: New variants of the MS Blast worm have been detected in the wild.
>> A new worm has also been discovered that exploits the MSRPC DCOM
>> vulnerability that is not related to the MS Blast variants. This new worm
>> has been labeled "Nachi", and also labeled incorrectly as a LovSan.D. The
>> Nachi worm has improved scanning logic, feature improvements, and auto-
>> patching functionality. It also propagates by an additional exploit

> vector,
>> exploiting the WebDAV vulnerability in Microsoft's IIS 5 Web Server.
>>
>> Impact:
>> UPDATED: The Nachi worm will infect vulnerable Windows XP machines using
>> the same exploit used by the MS Blast worm family. The main difference
>> between Nachi and MS Blast, is that Nachi will remove and disable MS Blast
>> infections that it encounters, and download and install the correct MSRPC
>> DCOM patch from Microsoft. This action will permanently close the MSRPC
>> DCOM vulnerability. The Nachi worm will not patch the WebDAV vulnerability
>> on Windows 2000 Servers.
>>
>> Description:
>> UPDATED: Nachi Worm
>> The Nachi worm is technically superior to its predecessors. Its scanning
>> logic is more robust, it has the ability to propagate more quickly and it
>> will clean computers infected with MS Blast. It contains an additional
>> exploit
>> vector which exploits Microsoft IIS 5.0 via WebDAV. The Nachi worm seems

> to
>> have
>> been designed for benevolent purposes only. There is no viral or DDoS
>> payload. Expanded technical details are included below:
>>
>> From ISS - http://xforce.iss.net/xforce/alerts/id/150
>>
>> Full info from Symantec:
>> http://www.sarc.com/avcenter/venc/da...chia.worm.html
>>
>> Removal tool:
>>

> http://securityresponse.symantec.com...oval.tool.html
>>
>> Original Blaster info:
>> http://www.security-forums.com/forum...pic.php?t=7474
>>
>> Cheers
>>
>> --
>>
>> -+ Shaolin +-
>> Discard what is useless, absorb what is not and
>> add what is uniquely your own.
>>
>> .: http://www.security-forums.com :.
>>
>>
>>


 
Reply With Quote
 
John Tate
Guest
Posts: n/a
 
      08-20-2003
On Wed, 20 Aug 2003 14:00:10 +0200, J. Reilink wrote:

> R Green -WoWsat.com wrote:
>
>> Wouldn't be surprised if Microsoft had released this worm in an effort to
>> protect their own arse (ie. the windowsupdate site)..
>>

>
> Yeah, right... If you've read the article(s) you'd know that the worm does a
> little more than patching the RPC DCOM hole. Among other things, it exploits
> a vulnerability in NTDLL.DLL (MS03-007) and overwrites some files (such as
> DLLHOST.EXE and SVCHOST.EXE).

Really, I should try reading, this enforces my thought that it might just
be the same guy who did blaster.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
WPAD vuln Lawrence D'Oliveiro NZ Computing 0 03-16-2009 11:23 PM
Xah's Edu Corner: The Concepts and Confusions of Pre-fix, In-fix, Post-fix and Fully Functional Notations Xah Lee Python 23 03-21-2006 07:02 AM
Xah's Edu Corner: The Concepts and Confusions of Pre-fix, In-fix, Post-fix and Fully Functional Notations Xah Lee Java 22 03-21-2006 07:02 AM
Snort vuln Hairy One Kenobi Computer Security 0 10-20-2005 03:31 PM
sendmail vuln. - exploit in the wild?? al Computer Security 4 10-06-2003 04:19 PM



Advertisments