Skip to main content
Skip to main content
Microsoft Security Intelligence
Cart 0 items in shopping cart
Sign in
Published Nov 29, 2004 | Updated Sep 15, 2017

Worm:Win32/Nachi.C

Detected by Microsoft Defender Antivirus

Aliases: W32.Welchia.C.Worm (Symantec) WORM_NACHI.C (Trend Micro)

Summary

Win32/HLLW.Nachi.C is a network worm that targets Microsoft Windows 2000 and Windows XP. It propagates by exploiting several known vulnerabilities. It tries to download and apply security updates if it detects the operating system is a certain language version. It also tries to remove certain worms if they are on the infected system.
To manually recover from infection by Win32/HLLW.Nachi.C, perform the following steps:
  • Disconnect from the Internet
  • Remove the worm service
  • Delete the worm files from your computer
  • Delete the worm registry entry
  • Take steps to prevent re-infection

Disconnect from the Internet

To help ensure that your computer is not actively infecting other computers, you should disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.

Remove the worm service

Removing the worm service will help stop your computer from infecting other computers as well as resolve the crashing, rebooting, and performance degradation issues caused by the worm.
To remove the worm service
  1. On the Start menu, click Control Panel.
  2. Double-click Administrative Tools.
  3. Double-click Services.
  4. Right-click the WksPatch service. If the service is running, click Stop.
  5. Right-click the service again and click Properties.
  6. In the Startup Type list, click Disabled.
Note: The name displayed in the Services tool is the service display name instead of the service name. WksPatch is the service name, not the service display name. The service display name for the WksPatch service is randomly generated; it can be found in the following registry key value for the WksPatch service: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch\DisplayName

Delete the worm files from your computer

After you end the worm process, you should delete the worm code from your computer.
To delete the worm files from your computer
  1. Click Start, and click Run.
  2. In the Open field, type %windir%\system32\drivers
  3. Click OK.
  4. Click Name to sort files by name.
  5. If svchost.exe is in the list, delete it.
  6. On the desktop, right-click the Recycle Bin and click Empty Recycle Bin.
  7. Click Yes.
This removes the worm code from your computer.
If deleting files fails, use the steps of To remove the worm service to verify that WskPatch service is not running.

Delete the worm registry entry

To delete the worm registry entry
  1. On the Start menu, click Run.
  2. Type regedit and click OK.
  3. In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch
  4. Click Delete and click Yes to delete the key.
  5. Close the Registry Editor.

Take steps to prevent re-infection

You should not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.
Follow us