Malicious Software Encyclopedia: Win32/Nachi
Published:
May 16, 2005
Win32/Nachi is a family of network worms that spread across network connections by exploiting one or more vulnerabilities in Microsoft Windows 2000 and Windows XP. These worms can also spread using backdoors opened by other malicious software. The worm tries to download and apply security updates; some variants try to remove other malicious software that may be on the infected computer. Some variants replace Web pages stored on the computer with their own Web page.
On This Page
Threat Overview
| Class/type | Worm - Network
|
| Discovered | August 19, 2003 |
| Circulating | Yes |
| Affected operating systems | Windows 2000
Windows XP
|
| Affected software |
Not specified
|
| Infection rating | Low |
| Recovery difficulty | Moderate |
| Damage rating | Medium |
| Transmission rating | High |
Aliases (Also Known As)
Different antivirus vendors may be using different names to refer to this malicious software. Here are some of the names currently in use by antivirus software vendors participating in the Microsoft Virus Information Alliance (VIA):
CA:
Win32.NachiMcAfee:
W32.Nachi.wormSymantec:
Win32/HLLW.WelchiaTrend Micro:
WORM_NACHI
Learn more about the
Microsoft Virus Information Alliance.
Related Security Bulletins
The following Microsoft Security bulletins are related to this issue:
MS03-001 - Unchecked Buffer in Locator Service Could Lead to Code Execution (810833)MS03-007 - Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)MS03-026 - Buffer Overrun In RPC Interface Could Allow Code Execution (823980)MS03-039 - Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)MS03-049 - Buffer Overrun in the Workstation Service Could Allow Code Execution (828749)Technical Analysis
When this worm runs on a computer, it copies itself to a folder inside the system folder, and then installs itself as a service using various names. Some variants of the worm also copy a system utility called Tftpd.exe to the same folder.
The worm tries to download various security updates and apply them to the infected computer. The worm restarts the system after each update is downloaded and executed.
Variants of the worm try to remove other malicious software that may be on the infected computer. This software includes Win32/MSBlast, Win32/Doomjuice, and variants of Win32/Mydoom.
Some variants replace Web pages on IIS servers with a Web page containing the heading "LET HISTORY TELL FUTURE!" and a list of dates and numbers.
The worm then scans for other systems over the network by sending ICMP Echo (ping) packets to TCP/IP addresses generated by the worm. If another system is at one of the generated addresses, the worm tries to exploit one or more of the vulnerabilities to transfer itself to the second system, which then runs the worm.
Most variants of this family have a built in expiration date of January 1, 2004. After this date, at system startup the worm either exits or deletes itself.
How to Prevent Infection
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer
Get the latest computer updates
Use up-to-date antivirus software
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections, and click Network Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Highlight a connection that you want to help protect, and click Change settings of this connection.
Click Advanced, and select Protect my computer and network by limiting or preventing access to this computer from the Internet.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Microsoft Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates
Click Start, and click Control Panel.
Click Performance and Maintenance. If you do not see Performance and Maintenance , click Switch to Category View.
Click System.
Click Automatic Updates, and select Keep my computer up to date.
Select a setting. Microsoft recommends selecting Automatically download the updates, and install them on the schedule that I specify and setting a regular update time.
If you choose to have Automatic Updates notify you in step 5, you will see a notification balloon when new downloads are available to install. Click the notification balloon to review and install updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. You should always run antivirus software on your computer that is updated with the latest signature files to automatically help protect you from infection.
How to Tell If Your Computer Is Infected
If your computer is infected by Win32/Nachi, you may notice one or more of the following symptoms:
- Excessive ICMP network traffic
- System restart without user input
- Error messages from the RPC service
- HTML documents or Web pages stored on your computer are replaced with an HTML document containing serveral dates and numbers
How to Recover from Infection
Automatic Recovery
To attempt to automatically remove this threat, run one of the following removal tools:
Transmission Methods
| Method | Description |
|---|
| Exploits Vulnerability | |
