Content

W32/Nachi.worm.e

Type
Virus
SubType
Internet Worm
Discovery Date
02/24/2004
Length
13,763
Minimum DAT
4329 (02/27/2004)
Updated DAT
4604 (10/13/2005)
Minimum Engine
5.1.00
Description Added
04/05/2004
Description Modified
04/05/2004 4:58 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a minor variant of the .b variant.

This threat is proactively detected as Exploit-DcomRpc.gen with the 4.2.60 scan engine, or higher, and the 4290 DAT files, or higher, when scanning compressed executables, default option.

This virus exploits the MS03-026 / MS03-039 vulnerability (DCOM RPC), the MS03-007  vulnerability (NTDLL via WebDav), and the MS03-049 vulnerability (Workstation service).

Installation
To ensure only one instance of the worm on the victim machine, a mutex of the following name is created:

WksPatch_Mutex

The virus installs itself within a DRIVERS directory in the Windows System directory:

C:\WINNT\SYSTEM32\DRIVERS\SVCHOST.EXE (12,800 bytes)

Please Note: There is a perfectly legitimate system file with filename SVCHOST.EXE in the WINDOWS SYSTEM directory with the same filesize.

The following service is installed:

  • WksPatch Set to run the installed copy of the worm (SVCHOST.EXE)

Display name varies as it's constructed from the following strings.  The virus chooses one string from each coloumn (such as "License Procedure Messaging")

"Browser" " Logging" " Provider"
"System" " Manager" " Sharing"
"Security" " Procedure" " Messaging"
"Remote" " Accounts" " Client"
"Routing" " Event" ""
"Performance"
"Network"
"License"
"Internet"

Downloading of Patches
The worm carries links to various patches for the MS03-049 vulnerability :

  • http://download.microsoft.com/download/4/d/3/4d375d48-04c7-411f-959b-3467c5ef1e9a/WindowsXP-KB828035-x86-CHS.exe   
  • http://download.microsoft.com/download/a/4/3/a43ea017-9abd-4d28-a736-2c17dd4d7e59/WindowsXP-KB828035-x86-KOR.exe   
  • http://download.microsoft.com/download/e/a/e/eaea4109-0870-4dd3-88e0-a34035dc181a/WindowsXP-KB828035-x86-ENU.exe   
  • http://download.microsoft.com/download/9/c/5/9c579720-63e9-478a-bdcb-70087ccad56c/Windows2000-KB828749-x86-CHS.exe 
  • http://download.microsoft.com/download/0/8/4/084be8b7-e000-4847-979c-c26de0929513/Windows2000-KB828749-x86-KOR.exe 
  • http://download.microsoft.com/download/3/c/6/3c6d56ff-ff8e-4322-84cb-3bf9a915e6d9/Windows2000-KB828749-x86-ENU.exe

The worm attempts to download and install one of these patches on the victim machine.

Removal of W32/Mydoom.a@MM, W32/Mydoom.b@MM, W32/Doomjuice.worm.a and W32/Doomjuice.worm.b  
The worm also looks for and removes W32/Mydoom.a@MM , W32/Mydoom.b@MM , W32/Doomjuice.worm.a and W32/Doomjuice.worm.b from an infected system by deleting the following files and the registry keys created:

  • %SysDir%\ctfmon.dll
  • %SysDir%\Explorer.exe
  • %SysDir%\shimgapi.dll
  • %SysDir%\TaskMon.exe
  • %SysDir%\Intrenat.exe
  • %SysDir%\Regedit.exe 

The HOSTS file is also overwritten with the following text:

#
#

127.0.0.1       localhost

HTML Page
 The virus carries the following HTML document, and overwrittes .shtml, .shtm, .stm, .cgi, .php, .html, .htm, and.asp files in Virtual Root and IIS Help directories on Japanese systems:

LET HISTORY TELL FUTURE !

1931.9.18
1937.7.7
1937.12.13 300,000 !

1941.12.7
1945.8.6 Little boy
1945.8.9 Fatso

1945.8.15
Let history tell future !

Self-Termination
 The virus has a self-termination date of June 1, 2004 (or 120 days after installation), at which time the virus uninstalls itself from the system.  This termination process does not happen on the Japanese version of Windows.

Symptoms

  • Large amounts of network traffic emitting from a system
  • WksPatch service name (not display name) present on system
  • SVCHOST.EXE file present in the %System%\DRIVERS directory

Method of Infection

When run, the worm checks for an Internet connection by contacting the following sites:

  • google.com 
  • intel.com  
  • microsoft.com

The virus targets random IP addresses on TCP port 80, 135, and 445 in an attempt to exploit Microsoft vulnerabilities to infect the system.  The virus runs a webserver on a random TCP port and instructs victim systems to download and execute the file WksPatch.exe from the attacking system.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • W32.Welchia.D.Worm (Symantec)
  • W32/Nachi-E (Sophos)
  • Win32.Nachi.H (CA)
  • Worm.Win32.Welchia.e (AVP)
  • WORM_NACHI.E (Trend)

Characteristics

Characteristics -

This is a minor variant of the .b variant.

This threat is proactively detected as Exploit-DcomRpc.gen with the 4.2.60 scan engine, or higher, and the 4290 DAT files, or higher, when scanning compressed executables, default option.

This virus exploits the MS03-026 / MS03-039 vulnerability (DCOM RPC), the MS03-007  vulnerability (NTDLL via WebDav), and the MS03-049 vulnerability (Workstation service).

Installation
To ensure only one instance of the worm on the victim machine, a mutex of the following name is created:

WksPatch_Mutex

The virus installs itself within a DRIVERS directory in the Windows System directory:

C:\WINNT\SYSTEM32\DRIVERS\SVCHOST.EXE (12,800 bytes)

Please Note: There is a perfectly legitimate system file with filename SVCHOST.EXE in the WINDOWS SYSTEM directory with the same filesize.

The following service is installed:

  • WksPatch Set to run the installed copy of the worm (SVCHOST.EXE)

Display name varies as it's constructed from the following strings.  The virus chooses one string from each coloumn (such as "License Procedure Messaging")

"Browser" " Logging" " Provider"
"System" " Manager" " Sharing"
"Security" " Procedure" " Messaging"
"Remote" " Accounts" " Client"
"Routing" " Event" ""
"Performance"
"Network"
"License"
"Internet"

Downloading of Patches
The worm carries links to various patches for the MS03-049 vulnerability :

  • http://download.microsoft.com/download/4/d/3/4d375d48-04c7-411f-959b-3467c5ef1e9a/WindowsXP-KB828035-x86-CHS.exe   
  • http://download.microsoft.com/download/a/4/3/a43ea017-9abd-4d28-a736-2c17dd4d7e59/WindowsXP-KB828035-x86-KOR.exe   
  • http://download.microsoft.com/download/e/a/e/eaea4109-0870-4dd3-88e0-a34035dc181a/WindowsXP-KB828035-x86-ENU.exe   
  • http://download.microsoft.com/download/9/c/5/9c579720-63e9-478a-bdcb-70087ccad56c/Windows2000-KB828749-x86-CHS.exe 
  • http://download.microsoft.com/download/0/8/4/084be8b7-e000-4847-979c-c26de0929513/Windows2000-KB828749-x86-KOR.exe 
  • http://download.microsoft.com/download/3/c/6/3c6d56ff-ff8e-4322-84cb-3bf9a915e6d9/Windows2000-KB828749-x86-ENU.exe

The worm attempts to download and install one of these patches on the victim machine.

Removal of W32/Mydoom.a@MM, W32/Mydoom.b@MM, W32/Doomjuice.worm.a and W32/Doomjuice.worm.b  
The worm also looks for and removes W32/Mydoom.a@MM , W32/Mydoom.b@MM , W32/Doomjuice.worm.a and W32/Doomjuice.worm.b from an infected system by deleting the following files and the registry keys created:

  • %SysDir%\ctfmon.dll
  • %SysDir%\Explorer.exe
  • %SysDir%\shimgapi.dll
  • %SysDir%\TaskMon.exe
  • %SysDir%\Intrenat.exe
  • %SysDir%\Regedit.exe 

The HOSTS file is also overwritten with the following text:

#
#

127.0.0.1       localhost

HTML Page
 The virus carries the following HTML document, and overwrittes .shtml, .shtm, .stm, .cgi, .php, .html, .htm, and.asp files in Virtual Root and IIS Help directories on Japanese systems:

LET HISTORY TELL FUTURE !

1931.9.18
1937.7.7
1937.12.13 300,000 !

1941.12.7
1945.8.6 Little boy
1945.8.9 Fatso

1945.8.15
Let history tell future !

Self-Termination
 The virus has a self-termination date of June 1, 2004 (or 120 days after installation), at which time the virus uninstalls itself from the system.  This termination process does not happen on the Japanese version of Windows.

Symptoms

Symptoms -

  • Large amounts of network traffic emitting from a system
  • WksPatch service name (not display name) present on system
  • SVCHOST.EXE file present in the %System%\DRIVERS directory

Method of Infection

Method of Infection -

When run, the worm checks for an Internet connection by contacting the following sites:

  • google.com 
  • intel.com  
  • microsoft.com

The virus targets random IP addresses on TCP port 80, 135, and 445 in an attempt to exploit Microsoft vulnerabilities to infect the system.  The virus runs a webserver on a random TCP port and instructs victim systems to download and execute the file WksPatch.exe from the attacking system.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A