New anti-blaster worm attempts to fix RPC/DCOM vuln - W32/Nachi.worm

Discussion in 'Computer Security' started by Lord Shaolin, Aug 19, 2003.

  1. Lord Shaolin

    Lord Shaolin Guest

    Info from: http://www.security-forums.com/forum/viewtopic.php?t=7631

    Synopsis:
    UPDATED: New variants of the MS Blast worm have been detected in the wild.
    A new worm has also been discovered that exploits the MSRPC DCOM
    vulnerability that is not related to the MS Blast variants. This new worm
    has been labeled "Nachi", and also labeled incorrectly as a LovSan.D. The
    Nachi worm has improved scanning logic, feature improvements, and auto-
    patching functionality. It also propagates by an additional exploit vector,
    exploiting the WebDAV vulnerability in Microsoft's IIS 5 Web Server.

    Impact:
    UPDATED: The Nachi worm will infect vulnerable Windows XP machines using
    the same exploit used by the MS Blast worm family. The main difference
    between Nachi and MS Blast, is that Nachi will remove and disable MS Blast
    infections that it encounters, and download and install the correct MSRPC
    DCOM patch from Microsoft. This action will permanently close the MSRPC
    DCOM vulnerability. The Nachi worm will not patch the WebDAV vulnerability
    on Windows 2000 Servers.

    Description:
    UPDATED: Nachi Worm
    The Nachi worm is technically superior to its predecessors. Its scanning
    logic is more robust, it has the ability to propagate more quickly and it
    will clean computers infected with MS Blast. It contains an additional
    exploit
    vector which exploits Microsoft IIS 5.0 via WebDAV. The Nachi worm seems to
    have
    been designed for benevolent purposes only. There is no viral or DDoS
    payload. Expanded technical details are included below:

    From ISS - http://xforce.iss.net/xforce/alerts/id/150

    Full info from Symantec:
    http://www.sarc.com/avcenter/venc/data/w32.welchia.worm.html

    Removal tool:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

    Original Blaster info:
    http://www.security-forums.com/forum/viewtopic.php?t=7474

    Cheers

    --

    -+ Shaolin +-
    Discard what is useless, absorb what is not and
    add what is uniquely your own.

    .: http://www.security-forums.com :.
     
    Lord Shaolin, Aug 19, 2003
    #1
    1. Advertising

  2. Lord Shaolin

    donut Guest

    "Lord Shaolin" <abuse@127.0.0.1> wrote in
    news::

    > The Nachi worm is technically superior to its predecessors. Its
    > scanning logic is more robust, it has the ability to propagate more
    > quickly and it will clean computers infected with MS Blast. It
    > contains an additional exploit
    > vector which exploits Microsoft IIS 5.0 via WebDAV. The Nachi worm
    > seems to have
    > been designed for benevolent purposes only.



    What is to prevent that from changing, once the creator(s) have discovered
    how effective it is?

    As with any worm, scour, disallow, disinfect, and protect (first and
    foremost.)
     
    donut, Aug 19, 2003
    #2
    1. Advertising

  3. Wouldn't be surprised if Microsoft had released this worm in an effort to
    protect their own arse (ie. the windowsupdate site)..

    R Green
    Technical Support
    --------------------------
    WoWsat.com
    --------------------------

    "Lord Shaolin" <abuse@127.0.0.1> wrote in message
    news:...
    > Info from: http://www.security-forums.com/forum/viewtopic.php?t=7631
    >
    > Synopsis:
    > UPDATED: New variants of the MS Blast worm have been detected in the wild.
    > A new worm has also been discovered that exploits the MSRPC DCOM
    > vulnerability that is not related to the MS Blast variants. This new worm
    > has been labeled "Nachi", and also labeled incorrectly as a LovSan.D. The
    > Nachi worm has improved scanning logic, feature improvements, and auto-
    > patching functionality. It also propagates by an additional exploit

    vector,
    > exploiting the WebDAV vulnerability in Microsoft's IIS 5 Web Server.
    >
    > Impact:
    > UPDATED: The Nachi worm will infect vulnerable Windows XP machines using
    > the same exploit used by the MS Blast worm family. The main difference
    > between Nachi and MS Blast, is that Nachi will remove and disable MS Blast
    > infections that it encounters, and download and install the correct MSRPC
    > DCOM patch from Microsoft. This action will permanently close the MSRPC
    > DCOM vulnerability. The Nachi worm will not patch the WebDAV vulnerability
    > on Windows 2000 Servers.
    >
    > Description:
    > UPDATED: Nachi Worm
    > The Nachi worm is technically superior to its predecessors. Its scanning
    > logic is more robust, it has the ability to propagate more quickly and it
    > will clean computers infected with MS Blast. It contains an additional
    > exploit
    > vector which exploits Microsoft IIS 5.0 via WebDAV. The Nachi worm seems

    to
    > have
    > been designed for benevolent purposes only. There is no viral or DDoS
    > payload. Expanded technical details are included below:
    >
    > From ISS - http://xforce.iss.net/xforce/alerts/id/150
    >
    > Full info from Symantec:
    > http://www.sarc.com/avcenter/venc/data/w32.welchia.worm.html
    >
    > Removal tool:
    >

    http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
    >
    > Original Blaster info:
    > http://www.security-forums.com/forum/viewtopic.php?t=7474
    >
    > Cheers
    >
    > --
    >
    > -+ Shaolin +-
    > Discard what is useless, absorb what is not and
    > add what is uniquely your own.
    >
    > .: http://www.security-forums.com :.
    >
    >
    >
     
    R Green -WoWsat.com, Aug 19, 2003
    #3
  4. Lord Shaolin

    J. Reilink Guest

    R Green -WoWsat.com wrote:

    > Wouldn't be surprised if Microsoft had released this worm in an effort to
    > protect their own arse (ie. the windowsupdate site)..
    >


    Yeah, right... If you've read the article(s) you'd know that the worm does a
    little more than patching the RPC DCOM hole. Among other things, it exploits
    a vulnerability in NTDLL.DLL (MS03-007) and overwrites some files (such as
    DLLHOST.EXE and SVCHOST.EXE).

    --
    Met vriendelijke groet / Best regards,
    Jan Reilink
    Dutch Security Information Network,
    http://www.dsinet.org
     
    J. Reilink, Aug 20, 2003
    #4
  5. Gee, wouldn't it be a great move for someone to write a DESTRUCTIVE virus
    and name it "FixBlast" or "FixBlaster" so that people would PURPOSELY
    download it!!!


    "J. Reilink" <> wrote in message
    news:...
    > R Green -WoWsat.com wrote:
    >
    > > Wouldn't be surprised if Microsoft had released this worm in an effort

    to
    > > protect their own arse (ie. the windowsupdate site)..
    > >

    >
    > Yeah, right... If you've read the article(s) you'd know that the worm does

    a
    > little more than patching the RPC DCOM hole. Among other things, it

    exploits
    > a vulnerability in NTDLL.DLL (MS03-007) and overwrites some files (such as
    > DLLHOST.EXE and SVCHOST.EXE).
    >
    > --
    > Met vriendelijke groet / Best regards,
    > Jan Reilink
    > Dutch Security Information Network,
    > http://www.dsinet.org
    >
     
    Hü©klëßë®®ÿ, Aug 20, 2003
    #5
  6. Lord Shaolin

    John Tate Guest

    On Tue, 19 Aug 2003 16:01:53 +0000, R Green -WoWsat.com wrote:

    > Wouldn't be surprised if Microsoft had released this worm in an effort to
    > protect their own arse (ie. the windowsupdate site)..

    It could well have been the same person who did blaster, so what if it
    isnt viral or ddosing, maybe he just wanted to flood the internet with
    crap. making it the third worm this year to do it, and all 3 being
    Microsoft Products.

    And they say they know security.
    >
    > R Green
    > Technical Support
    > --------------------------
    > WoWsat.com
    > --------------------------
    >
    > "Lord Shaolin" <abuse@127.0.0.1> wrote in message
    > news:...
    >> Info from: http://www.security-forums.com/forum/viewtopic.php?t=7631
    >>
    >> Synopsis:
    >> UPDATED: New variants of the MS Blast worm have been detected in the wild.
    >> A new worm has also been discovered that exploits the MSRPC DCOM
    >> vulnerability that is not related to the MS Blast variants. This new worm
    >> has been labeled "Nachi", and also labeled incorrectly as a LovSan.D. The
    >> Nachi worm has improved scanning logic, feature improvements, and auto-
    >> patching functionality. It also propagates by an additional exploit

    > vector,
    >> exploiting the WebDAV vulnerability in Microsoft's IIS 5 Web Server.
    >>
    >> Impact:
    >> UPDATED: The Nachi worm will infect vulnerable Windows XP machines using
    >> the same exploit used by the MS Blast worm family. The main difference
    >> between Nachi and MS Blast, is that Nachi will remove and disable MS Blast
    >> infections that it encounters, and download and install the correct MSRPC
    >> DCOM patch from Microsoft. This action will permanently close the MSRPC
    >> DCOM vulnerability. The Nachi worm will not patch the WebDAV vulnerability
    >> on Windows 2000 Servers.
    >>
    >> Description:
    >> UPDATED: Nachi Worm
    >> The Nachi worm is technically superior to its predecessors. Its scanning
    >> logic is more robust, it has the ability to propagate more quickly and it
    >> will clean computers infected with MS Blast. It contains an additional
    >> exploit
    >> vector which exploits Microsoft IIS 5.0 via WebDAV. The Nachi worm seems

    > to
    >> have
    >> been designed for benevolent purposes only. There is no viral or DDoS
    >> payload. Expanded technical details are included below:
    >>
    >> From ISS - http://xforce.iss.net/xforce/alerts/id/150
    >>
    >> Full info from Symantec:
    >> http://www.sarc.com/avcenter/venc/data/w32.welchia.worm.html
    >>
    >> Removal tool:
    >>

    > http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
    >>
    >> Original Blaster info:
    >> http://www.security-forums.com/forum/viewtopic.php?t=7474
    >>
    >> Cheers
    >>
    >> --
    >>
    >> -+ Shaolin +-
    >> Discard what is useless, absorb what is not and
    >> add what is uniquely your own.
    >>
    >> .: http://www.security-forums.com :.
    >>
    >>
    >>
     
    John Tate, Aug 20, 2003
    #6
  7. Lord Shaolin

    John Tate Guest

    On Wed, 20 Aug 2003 14:00:10 +0200, J. Reilink wrote:

    > R Green -WoWsat.com wrote:
    >
    >> Wouldn't be surprised if Microsoft had released this worm in an effort to
    >> protect their own arse (ie. the windowsupdate site)..
    >>

    >
    > Yeah, right... If you've read the article(s) you'd know that the worm does a
    > little more than patching the RPC DCOM hole. Among other things, it exploits
    > a vulnerability in NTDLL.DLL (MS03-007) and overwrites some files (such as
    > DLLHOST.EXE and SVCHOST.EXE).

    Really, I should try reading, this enforces my thought that it might just
    be the same guy who did blaster.
     
    John Tate, Aug 20, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. duder
    Replies:
    1
    Views:
    554
    shope
    Dec 12, 2003
  2. EricP

    When the W32 Blaster worm was working,

    EricP, Sep 8, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    407
    EricP
    Sep 8, 2004
  3. Linda

    w32 blaster worm

    Linda, Aug 13, 2003, in forum: Computer Security
    Replies:
    11
    Views:
    1,400
  4. Leythos

    DCOM RPC Vulnerabilities - NEW 9-10-2003

    Leythos, Sep 11, 2003, in forum: Computer Security
    Replies:
    0
    Views:
    743
    Leythos
    Sep 11, 2003
  5. Replies:
    0
    Views:
    599
Loading...

Share This Page