Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

W32/Nachi.worm.c

Feb 17, 2004 12:59PM PST

Date Discovered: 2/13/2004
Date Added: 2/15/2004
Origin: Unknown
Length: 12,800
Type: Virus
SubType: Internet Worm

Virus Characteristics

This is a repackaged version of the .b variant. It functions the same as the .b variant.

This threat is proactively detected as Exploit-DcomRpc.gen with the 4.2.60 scan engine, or higher, and the 4290 DAT files, or higher, when scanning compressed executables, default option.

This virus exploits the MS03-026 / MS03-039 vulnerability (DCOM RPC), the MS03-007 vulnerability (NTDLL via WebDav), and the MS03-049 vulnerability (Workstation service).

Installation
To ensure only one instance of the worm on the victim machine, a mutex of the following name is created:

WksPatch_Mutex

The virus installs itself within a DRIVERS directory in the Windows System directory:

C:\WINNT\SYSTEM32\DRIVERS\SVCHOST.EXE (12,800 bytes)

Please Note: There is a perfectly legitimate system file with filename SVCHOST.EXE in the WINDOWS SYSTEM directory with the same filesize.

The following service is installed:

WksPatch Set to run the installed copy of the worm (SVCHOST.EXE)
Display name varies as it's constructed from the following strings. The virus chooses one string from each coloumn (such as "License Procedure Messaging")


Read more: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101025

Discussion is locked