Virus Alert: Nachi
This virus uses the same RPC security
flaw as Lovesan to
spread between Windows 2000 and Windows XP
computers, as well as an older WebDAV
vulnerability found on
Windows 2000 web servers. This particular virus is apparently designed to
try and remove the original Lovesan worm from an unpatched system and to
install the necessary patch to fix the security flaw. Despite these
potentially beneficial actions, it is still a virus because it
spreads itself without a user's permission and because it creates
services on the machine that will continue to run even after the system is
patched and the Lovesan worm removed.
Like Lovesan, this virus does not require any
user intervention to infect a machine: any computer that is not patched
against the flaw can become infected and can spread the virus further.
The best protection against this virus is to patch the RPC flaw on
your computer. Instructions on how to do that are available on our RPC
alert page at http://www.helpdesk.umd.edu/virus/alerts/rpcflaw.shtml. System
administrators responsible for Windows 2000 web servers should also make
sure their systems are protected from the WebDAV vulnerability (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
/bulletin/MS03-007.asp).
Individuals who are running McAfee anti-virus products may see a virus
warning pop-up regarding a virus/worm called
Exploit-DcomRpc. That alert is an indication that the
virus is attempting to infect your system, and that McAfee is attempting
to
block it. If you see this warning, your system has probably been
protected from the virus by McAfee, but the virus may still have
succeeded in creating a command shell that is open to hackers (it should
not, however, have created the IRC bot), so
you should still go through the
removal steps below just to be safe.
More Details
The virus (also referred to by some vendors as MSBlast.D and
Welchia) travels
by scanning random IP addresses for the presence of the
RPC flaw via TCP port 135 and the WebDAV flaw on Windows 2000 web
servers on port 80. When it finds a computer that still has either of the
flaws, it creates a remote shell on a random port between port 666 and 765
on that machine and then
starts a TFTP session to create a directory called
WINS in the Windows system32
directory, where it creates two files. Those files are:
- dllhost.exe, which is the virus
- svchost.exe, which is actually a renamed copy
of
tftpd.exe, the executable that allows for TFTP sessions
The virus then creates two system services that allows the worm to
operate automatically. Details on these services can be found on Symantec's
web page on the virus (Symantec refers to the virus as Welchia).
The virus halts the process created by the original Lovesan worm and
deletes the Lovesan file msblast. It then checks for the
version of the operating system and attempts to download and install the
appropriate RPC patch for the system. It is not clear as to what happens
when the virus tries to install a patch on a Windows system that requires
a service pack update in order to install the patch.
The virus will supposedly disable and remove itself if it detects that the
year is 2004.
Avoiding the Virus
Since no user intervention is required for the virus to move from computer
to computer, the only way to avoid having the virus transmitted to your
system is to apply the RPC security patch. Instructions on how to do this
are available at http://www.helpdesk.umd.edu/virus/alerts/rpcflaw.shtml. System
administrators running Windows 2000 web services should make sure that
their servers are patched for the WebDAV
vulnerability as well.
Removing the Virus
If your system has been infected by the virus, the first thing to do is to
patch the system. Otherwise, your system would be infected again the
moment you removed the virus. Download and install the appropriate patch
as instructed at http://www.helpdesk.umd.edu/virus/alerts/rpcflaw.shtml.
Once your system has been patched, update your anti-virus software
and perform a full scan of your computer system. Users of the McAfee
VirusScan or
Netshield software can manually update their software in one of two
ways. One way is to go to the McAfee corporate edition website
(www.mcafeeb2b.com), click on
Downloads (in the left column of options), then click on
the link for DATs under the Virus Protection
section. There
you will find download links for both the DAT File and the SuperDAT file
(the first two links). Click on and download the SuperDAT file, then
double-click on the downloaded file to fully update your software.
The other way to update the software is through the VirusScan/NetShield
Console component. VirusScan users can open the VirusScan Console by
clicking on Start | Programs | Network Associates | VirusScan
Console. Once the console window is open, select
AutoUpdate from
the list
of tasks and then click on the Start button (the one with
the green triangle) to perform
the update
(remember that you will need to be connected to the Internet at the time
you perform this operation).
If you don't have any anti-virus software on your computer but you are a
member of UMCP, you can download and install McAfee VirusScan from http://www.helpdesk.umd.edu/virus/software.shtml.
Additional Information
For further information, visit:
McAfee: http://vil.nai.com/vil/content/v_100559.htm
Symantec: http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.html
Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.D&VSect=T
To learn how to sign up to receive alerts via email about any new viruses
that threaten the university, click here.
To return to the previous web page, click on the Back button of your web
browser.
To return to the main VNP web page, click here.
|
