worm/nachi

Discussion in 'NZ Computing' started by ~misfit~, Sep 19, 2003.

  1. ~misfit~

    ~misfit~ Guest

    I was setting up a laptop for a friend last night, clean install, no email
    client configured and installed DU Meter before connecting to the net. I'm a
    bit of a voyuer, I like to see what's going on. Anyway, I installed AVG then
    connected to get the updates. Half-way through the (slow) download I noticed
    a shit-load of traffic going out from the machine, twice as much as I was
    downloading.

    Had me puzzled, I had nothing uploading. Anyway, I figured I needed the
    update so left it to download. Then I did a complete scan of the system with
    AVG and it found (and removed) the worm nachi. Could I really have got it
    that quickly? I was only on-line for three or four minutes before the
    uploading started. There was no firewall on the machine, it's running 2K so
    no built-in jobbie. I feel really bad now for all the uploading it was
    doing, it could have infected god knows how many machines in that time.

    And I didn't install a firewall as one wasn't asked for. It was a freebie
    for a 'friend' who had loaded 2K onto a Thinkpad and then wondered why they
    couldn't use most of it and the display sucked. I downloaded all the drivers
    etc. from IBM on my machine, burnt them to disc and installed them on the
    lappy. IBM's site was having problems yesterday and it took me most of the
    day to do. Damn cryptic set-ups on those thinkpads, I had to download four
    different modem drivers before I got it going, as well as all the system
    software for speed-step, power-management etc. 14+ hours for a 'friend'.
    Finally finished at 4am this morning.

    I just didn't realise how damn easy it is to get a worm like that, and
    spread it. I'm all fire-walled myself but it certainly gave me a wake-up
    call.
    --
    ~misfit~



    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.520 / Virus Database: 318 - Release Date: 18/09/2003
    ~misfit~, Sep 19, 2003
    #1
    1. Advertising

  2. ~misfit~

    T.N.O. Guest

    "~misfit~" wrote
    >Then I did a complete scan of the system with
    > AVG and it found (and removed) the worm nachi.


    heh

    > Could I really have got it
    > that quickly?


    yes... and you can prove it :)

    > I was only on-line for three or four minutes before the
    > uploading started.


    thats all it takes.

    > There was no firewall on the machine, it's running 2K so
    > no built-in jobbie. I feel really bad now for all the uploading it was
    > doing, it could have infected god knows how many machines in that time.


    Your a bad person :|

    > I just didn't realise how damn easy it is to get a worm like that, and
    > spread it. I'm all fire-walled myself but it certainly gave me a wake-up
    > call.


    Welcome to the real world neo...
    T.N.O., Sep 19, 2003
    #2
    1. Advertising

  3. ~misfit~

    Kookaburra Guest

    On Fri, 19 Sep 2003 14:33:43 +1200, "~misfit~"
    <misfit@'SPAMTRAP'orcon.net.nz> wrote:

    >
    >I just didn't realise how damn easy it is to get a worm like that, and
    >spread it. I'm all fire-walled myself but it certainly gave me a wake-up
    >call.


    I inadvertently used my realbox account addy on USENET a couple of
    weeks back and I've deleted 6 potential virus emails this morning all
    in a matter of 30 minutes online and another one this afternoon. I
    don't know which one it is but the attachments are all around 140kb.
    One had from Microsoft and none have been from individuals although
    one was a delivery failure notice.


    Cheers, Kooky
    Kookaburra, Sep 19, 2003
    #3
  4. ~misfit~

    steve Guest

    Updates Offline? Re: worm/nachi

    ~misfit~ wrote:

    > I just didn't realise how damn easy it is to get a worm like that, and
    > spread it. I'm all fire-walled myself but it certainly gave me a wake-up
    > call.
    > --
    > ~misfit~


    The problem is:

    If you have a fresh Windows install, how are you ever going to download
    the patch to block these vulnerabilities BEFORE your newly-installed
    system become infected?

    There have been several posts like yours in the past 2-3 weeks.

    It seems you need to have the updates on hand, offline, before you install.

    Or you're screwed.
    steve, Sep 19, 2003
    #4
  5. ~misfit~

    T.N.O. Guest

    Re: Updates Offline? Re: worm/nachi

    "steve" wrote
    > If you have a fresh Windows install, how are you ever going to download
    > the patch to block these vulnerabilities BEFORE your newly-installed
    > system become infected?


    You could ring that MS phone number that Nathan listed a while back, they
    send you a CD for free with all the updates on... I have one next to me :)
    T.N.O., Sep 19, 2003
    #5
  6. ~misfit~

    Rider Guest

    Re: Updates Offline? Re: worm/nachi

    "steve" <> wrote in message
    news:Yzvab.2293$...
    > ~misfit~ wrote:
    >
    > > I just didn't realise how damn easy it is to get a worm like that, and
    > > spread it. I'm all fire-walled myself but it certainly gave me a wake-up
    > > call.
    > > --
    > > ~misfit~

    >
    > The problem is:
    >
    > If you have a fresh Windows install, how are you ever going to download
    > the patch to block these vulnerabilities BEFORE your newly-installed
    > system become infected?
    >
    > There have been several posts like yours in the past 2-3 weeks.
    >
    > It seems you need to have the updates on hand, offline, before you

    install.
    >
    > Or you're screwed.
    >


    Lat week on one new pc I had built I had forgotten to apply the patches
    before going online.( We have them on cd here)

    1 1/2 minutes it took to become infected LOL

    Rider
    Rider, Sep 19, 2003
    #6
  7. ~misfit~

    Rob Guest

    Re: Updates Offline? Re: worm/nachi

    "Rider" <> wrote in message
    news:bke0s7$asr$...
    >
    > "steve" <> wrote in message
    > news:Yzvab.2293$...
    > > ~misfit~ wrote:
    > >
    > > > I just didn't realise how damn easy it is to get a worm like that, and
    > > > spread it. I'm all fire-walled myself but it certainly gave me a

    wake-up
    > > > call.
    > > > --
    > > > ~misfit~

    > >
    > > The problem is:
    > >
    > > If you have a fresh Windows install, how are you ever going to download
    > > the patch to block these vulnerabilities BEFORE your newly-installed
    > > system become infected?
    > >
    > > There have been several posts like yours in the past 2-3 weeks.
    > >
    > > It seems you need to have the updates on hand, offline, before you

    > install.
    > >
    > > Or you're screwed.
    > >

    >
    > Lat week on one new pc I had built I had forgotten to apply the patches
    > before going online.( We have them on cd here)
    >
    > 1 1/2 minutes it took to become infected LOL
    >
    > Rider
    >
    >

    Ah the joys of separate hardware firewalls...
    Rob, Sep 19, 2003
    #7
  8. ~misfit~

    T.N.O. Guest

    Re: Updates Offline? Re: worm/nachi

    "Rob" wrote
    > Ah the joys of separate hardware firewalls...


    I was going to say something like that.
    T.N.O., Sep 19, 2003
    #8
  9. Hi there,

    Kookaburra wrote:
    > On Fri, 19 Sep 2003 14:33:43 +1200, "~misfit~"
    > <misfit@'SPAMTRAP'orcon.net.nz> wrote:
    >
    >>I just didn't realise how damn easy it is to get a worm like that, and
    >>spread it. I'm all fire-walled myself but it certainly gave me a wake-up
    >>call.

    >
    > I inadvertently used my realbox account addy on USENET a couple of
    > weeks back and I've deleted 6 potential virus emails this morning all
    > in a matter of 30 minutes online and another one this afternoon. I
    > don't know which one it is but the attachments are all around 140kb.
    > One had from Microsoft and none have been from individuals although
    > one was a delivery failure notice.


    Someone has been sending emails containing the 'Microsoft September
    2003 Cumulative Security update patch', which of course is a fake.
    Unfortunately they have chosen your email address to forge into the
    message header as the 'from' address. Thats why you'll be getting
    bounced delivery failure notices from addresses you'd swear you'd
    never tried to send to...

    I just deleted 70 of these (at 150 kB each) from my emails today.
    I'm getting mighty pissed off that NZ ISP's claim that legally they
    cannot zap these emails because they might be genuine!!! Dumb
    bastards cannot even do that on a per client basis, as I requested
    today. I'm just glad I'm running Linux, cos the virii will not do
    diddly squat to my PC, but having to download the frigging things
    in order to delete them is a right royal PITA!! :-(

    Kind regards,

    Chris Wilkinson, Christchurch.
    Chris Wilkinson, Sep 19, 2003
    #9
  10. ~misfit~

    T.N.O. Guest

    "Chris Wilkinson" wrote
    > I just deleted 70 of these (at 150 kB each) from my emails today.
    > I'm getting mighty pissed off that NZ ISP's claim that legally they
    > cannot zap these emails because they might be genuine!!! Dumb
    > bastards cannot even do that on a per client basis, as I requested
    > today. I'm just glad I'm running Linux, cos the virii will not do
    > diddly squat to my PC, but having to download the frigging things
    > in order to delete them is a right royal PITA!! :-(


    When Xtra bounce them, they strip the attachment it appears...
    T.N.O., Sep 19, 2003
    #10
  11. ~misfit~

    ~misfit~ Guest

    Re: Updates Offline? Re: worm/nachi

    "steve" <> wrote in message
    news:Yzvab.2293$...
    > ~misfit~ wrote:
    >
    > > I just didn't realise how damn easy it is to get a worm like that, and
    > > spread it. I'm all fire-walled myself but it certainly gave me a wake-up
    > > call.
    > > --
    > > ~misfit~

    >
    > The problem is:
    >
    > If you have a fresh Windows install, how are you ever going to download
    > the patch to block these vulnerabilities BEFORE your newly-installed
    > system become infected?
    >
    > There have been several posts like yours in the past 2-3 weeks.
    >
    > It seems you need to have the updates on hand, offline, before you

    install.
    >
    > Or you're screwed.


    Tell me about it. The thing is, the machine was bought to me soley to get
    the modem working. I wasn't responsible for the install or updating. I
    couldn't get the NIC to work last night or I would have connected through my
    (firewalled) LAN to update the AV. (the owner doesn't care about the NIC, no
    intention of networking, I would have liked to get it going anyway and would
    have done so this morning but she came around to pick it up and said 'it'll
    be fine as-is') I hate doing freebies, I'm not going to spend the many
    hours required to get it up to my standards and, as it was, it took me
    bloody hours to download and install the IBM drivers needed. Also, it was my
    first experience with 2K.
    --
    ~misfit~



    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.520 / Virus Database: 318 - Release Date: 18/09/2003
    ~misfit~, Sep 19, 2003
    #11
  12. ~misfit~

    ~misfit~ Guest

    "T.N.O." <> wrote in message
    news:bkdrh6$k4rh$-berlin.de...
    > "~misfit~" wrote
    > >Then I did a complete scan of the system with
    > > AVG and it found (and removed) the worm nachi.

    >
    > heh
    >
    > > Could I really have got it
    > > that quickly?

    >
    > yes... and you can prove it :)


    I'm still amazed.

    > > I was only on-line for three or four minutes before the
    > > uploading started.

    >
    > thats all it takes.
    >
    > > There was no firewall on the machine, it's running 2K so
    > > no built-in jobbie. I feel really bad now for all the uploading it was
    > > doing, it could have infected god knows how many machines in that time.

    >
    > Your a bad person :|


    I certainly feel like it.

    > > I just didn't realise how damn easy it is to get a worm like that, and
    > > spread it. I'm all fire-walled myself but it certainly gave me a wake-up
    > > call.

    >
    > Welcome to the real world neo...


    I knew I should have taken the blue pill!!!!
    --
    ~misfit~



    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.520 / Virus Database: 318 - Release Date: 18/09/2003
    ~misfit~, Sep 19, 2003
    #12
  13. ~misfit~

    Peter Guest

    this quote is from Chris Wilkinson of Fri, 19 Sep 2003 17:19 :
    >
    > Someone has been sending emails containing the 'Microsoft September
    > 2003 Cumulative Security update patch', which of course is a fake.


    looks like that one is pretty common, some screenshots of the fake email in
    this article ...
    http://newsforge.com/article.pl?sid=03/09/18/2142224

    As the article points out, someone deliberately designed it to appear like a
    genuine patch, which of course will only trick people who aren't that
    knowledgeable. It would take a real scumbag to prey on people like that.


    Peter
    Peter, Sep 19, 2003
    #13
  14. ~misfit~

    Kookaburra Guest

    On Fri, 19 Sep 2003 17:19:41 +1200, Chris Wilkinson
    <> wrote:

    >
    >Someone has been sending emails containing the 'Microsoft September
    >2003 Cumulative Security update patch', which of course is a fake.
    >Unfortunately they have chosen your email address to forge into the
    >message header as the 'from' address. Thats why you'll be getting
    >bounced delivery failure notices from addresses you'd swear you'd
    >never tried to send to...
    >
    >I just deleted 70 of these (at 150 kB each) from my emails today.
    >I'm getting mighty pissed off that NZ ISP's claim that legally they
    >cannot zap these emails because they might be genuine!!! Dumb
    >bastards cannot even do that on a per client basis, as I requested
    >today. I'm just glad I'm running Linux, cos the virii will not do
    >diddly squat to my PC, but having to download the frigging things
    >in order to delete them is a right royal PITA!! :-(
    >
    >Kind regards,
    >
    >Chris Wilkinson, Christchurch.


    Thanks for telling me what they were. I deleted them using Mailwasher
    but the darn things were coming back as fast as I was getting rid of
    them.


    Cheers, Kooky
    Kookaburra, Sep 19, 2003
    #14
  15. ~misfit~

    Kookaburra Guest

    On Fri, 19 Sep 2003 19:00:29 +1200, Peter <>
    wrote:

    >this quote is from Chris Wilkinson of Fri, 19 Sep 2003 17:19 :
    >>
    >> Someone has been sending emails containing the 'Microsoft September
    >> 2003 Cumulative Security update patch', which of course is a fake.

    >
    >looks like that one is pretty common, some screenshots of the fake email in
    >this article ...
    >http://newsforge.com/article.pl?sid=03/09/18/2142224
    >
    >As the article points out, someone deliberately designed it to appear like a
    >genuine patch, which of course will only trick people who aren't that
    >knowledgeable. It would take a real scumbag to prey on people like that.
    >
    >
    >Peter


    Watch out for e-mail with the following FROM and SUBJECT

    FROM...............................................................SUBJECT

    --------------------------------------------------------------------------------

    Inet Storage Service............................................Mail:
    returned to sender
    Administration....................................................Error
    Notice
    Network Security Department..............................New Microsoft
    Security Upgrade
    Program Security Division...................................Latest
    Upgrade
    Microsoft Security Department............................Current
    Internet Security Upgrade
    Public Support...................................................Last
    Net Security Pack
    Customer Support..............................................Latest
    Network Pack
    Customer Support..............................................Current
    Microsoft Security Update

    --------------------------------------------------------------------------------

    All of these e-mails have attachments containing the W32/Swen@MM Virus

    --------------------------------------------------------------------------------

    Do not open it and do not run your e-mail program with PREVIEW PANE
    open. DELETE ALL E-MAILS OF THIS TYPE IMMEDIATELY!
    Cheers, Kooky
    Kookaburra, Sep 19, 2003
    #15
  16. On Fri, 19 Sep 2003 17:19:41 +1200, Chris Wilkinson wrote:

    > I just deleted 70 of these (at 150 kB each) from my emails today.


    They're hitting Usenet posting addresses (if they're genuine of course).
    I've had to disable my one for the moment - 25,000 rejects in the last 12 hours

    > I'm getting mighty pissed off that NZ ISP's claim that legally they
    > cannot zap these emails because they might be genuine!!!


    Whoever's telling you this is a fool and/or a liar. Change ISP.
    Uncle StoatWarbler, Sep 20, 2003
    #16
  17. On Fri, 19 Sep 2003 23:34:09 +1200, Kookaburra wrote:


    > Watch out for e-mail with the following FROM and SUBJECT


    Uh, I gave up on trying to subject filter when I went past 250 different
    permutations.

    Not to mention the ones with arrive with one word subjects or no subject
    at all.

    Gibe/Swen is nasty...
    Uncle StoatWarbler, Sep 20, 2003
    #17
  18. ~misfit~

    Craig Sutton Guest

    "Uncle StoatWarbler" <> wrote in message
    news:p...
    > On Fri, 19 Sep 2003 23:34:09 +1200, Kookaburra wrote:
    >
    >
    > > Watch out for e-mail with the following FROM and SUBJECT

    >
    > Uh, I gave up on trying to subject filter when I went past 250 different
    > permutations.
    >
    > Not to mention the ones with arrive with one word subjects or no subject
    > at all.
    >
    > Gibe/Swen is nasty...


    just the one received here using Ihug with their virus checker enabled
    Craig Sutton, Sep 20, 2003
    #18
  19. Re: Updates Offline? Re: worm/nachi

    "T.N.O." <> wrote in message
    news:...
    > "Uncle StoatWarbler" wrote
    > > Anyone directly connecting a windows box to the net in this day and age
    > > needs their head read.

    >
    > Or just to keep it up to date, like you should with any OS.
    >
    >


    Theres a risk of the personal firewall software either XPs own or ZA being
    compromised.
    Security pros recommend separate firewalls, and the additional advantage of
    having NAT and DHCP if you have several PCs on your network is a big plus.
    They are now often built into ADSL routers, and separate hardware firewall
    routers are now available for $100 - 200 which do NAT VPN, forwarding etc .
    This one looks good value (I don't work for dse)
    http://www.dse.co.nz/cgi-bin/dse.storefront/3f6cd23a007a5ef0273fc0a87f99070d/Product/View/XH1151
    or jaycar STOCK-CODE: yn8090 (bit expensive for what it is :( )
    Or the Linksys range, BEFSX41 etc
    http://linksys.com/products/group.asp?grid=34&scid=29
    which are quite reasonably priced and distributed to many retailers, try the
    usual suspects.
    http://www.pricespy.co.nz/search.php?search=linksys
    http://www.pricespy.co.nz/search.php?search=firewall
    Olson Johnson, Sep 20, 2003
    #19
  20. ~misfit~

    Mel Guest

    Re: Updates Offline? Re: worm/nachi

    please can I have the number to ring?

    TIA Mel

    T.N.O. wrote:
    > "steve" wrote
    >
    >>If you have a fresh Windows install, how are you ever going to download
    >>the patch to block these vulnerabilities BEFORE your newly-installed
    >>system become infected?

    >
    >
    > You could ring that MS phone number that Nathan listed a while back, they
    > send you a CD for free with all the updates on... I have one next to me :)
    >
    >
    Mel, Sep 21, 2003
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Smash
    Replies:
    2
    Views:
    384
    Smash
    Nov 26, 2003
  2. duder
    Replies:
    1
    Views:
    500
    shope
    Dec 12, 2003
  3. Lord Shaolin
    Replies:
    6
    Views:
    2,502
    John Tate
    Aug 20, 2003
  4. Blake McNeill
    Replies:
    0
    Views:
    429
    Blake McNeill
    Nov 18, 2003
  5. NACHI-B : WHITE WORM ?

    , Feb 13, 2004, in forum: Computer Security
    Replies:
    3
    Views:
    518
Loading...

Share This Page