Info from: [URL]http://www.security-forums.com/forum/viewtopic.php?t=7631[/URL]\n\nSynopsis:\nUPDATED: New variants of the MS Blast worm have been detected in the wild.\nA new worm has also been discovered that exploits the MSRPC DCOM\nvulnerability that is not related to the MS Blast variants. This new worm\nhas been labeled "Nachi", and also labeled incorrectly as a LovSan.D. The\nNachi worm has improved scanning logic, feature improvements, and auto-\npatching functionality. It also propagates by an additional exploit vector,\nexploiting the WebDAV vulnerability in Microsoft's IIS 5 Web Server.\n\nImpact:\nUPDATED: The Nachi worm will infect vulnerable Windows XP machines using\nthe same exploit used by the MS Blast worm family. The main difference\nbetween Nachi and MS Blast, is that Nachi will remove and disable MS Blast\ninfections that it encounters, and download and install the correct MSRPC\nDCOM patch from Microsoft. This action will permanently close the MSRPC\nDCOM vulnerability. The Nachi worm will not patch the WebDAV vulnerability\non Windows 2000 Servers.\n\nDescription:\nUPDATED: Nachi Worm\nThe Nachi worm is technically superior to its predecessors. Its scanning\nlogic is more robust, it has the ability to propagate more quickly and it\nwill clean computers infected with MS Blast. It contains an additional\nexploit\nvector which exploits Microsoft IIS 5.0 via WebDAV. The Nachi worm seems to\nhave\nbeen designed for benevolent purposes only. There is no viral or DDoS\npayload. Expanded technical details are included below:\n\nFrom ISS - [URL]http://xforce.iss.net/xforce/alerts/id/150[/URL]\n\nFull info from Symantec:\n[URL]http://www.sarc.com/avcenter/venc/data/w32.welchia.worm.html[/URL]\n\nRemoval tool:\n[URL]http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html[/URL]\n\nOriginal Blaster info:\n[URL]http://www.security-forums.com/forum/viewtopic.php?t=7474[/URL]\n\nCheers\n\n-\-\n\n-+ Shaolin +-\nDiscard what is useless, absorb what is not and\nadd what is uniquely your own.\n\n.: [URL]http://www.security-forums.com[/URL] :.