Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

WORM_NACHI.E

Mar 13, 2004 8:30AM PST

Virus type: Worm

Destructive: No

Aliases: Worm.Win32.Welchia.e, Win32:Nachi-E, Worm/Welchia.E

Description:


This memory-resident worm exploits certain vulnerabilities to propagate across networks.

It takes advantage of the following vulnerabilities:

Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) Vulnerability
IIS5/WEBDAV Buffer Overrun Vulnerability
MS Workstation Service Vulnerability
Locator Service Vulnerability
For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS03-007
Microsoft Security Bulletin MS03-049
Microsoft Security Bulletin MS03-001
It patches the system against the RPC DCOM Buffer Overflow vulnerablity by checking the operating system version and locale information, and connecting to specific sites.

It attempts to delete several files, which it assumes to be related to the malware WORM_MYDOOM.A and WORM_MYDOOM.B.

This worm has backdoor capabilities, modifies the Windows registry and overwrites certain files if the system language is Japanese.

It runs on Windows 2000 and XP.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NACHI.E

Discussion is locked