12-09-2003 06:17 AM - edited 03-09-2019 05:48 AM
Before we enabled this signature, we would catch MSBlaster/Nachi infected machines using the 3327 (RPC DCOM Overflow) and 3328 (SMB/RPC NoOp Sled) signatures.
Now that 2156 is enabled, infected machines trigger all three.
My question is this however. Sometimes we get machines that just trigger 2156 and none others. In fact in a 30 minute period, a source machine could easily generate 30,000+ 2156sig events.
So I'm wondering, since the other two signatures are never triggered, what exactly is going on with these machines? Is there some mutation, or other worm, out there that pings, or has re-used the pinging code from Nachi?
When we find these suspect machines, we run scanms.exe/retina.exe etc against them, and they are sometimes reported as patched (which leads me to believe that something else is going on).
Any assistance is much appreciated, thanks.
12-09-2003 12:33 PM
This is classic Nachi. The machine infects a vulnerable host, patches it, trys to infect others...then stops...all the while it is spewing the Nachi Echo Request packets which never stop.
These boxes are infected with Nachi, but are not vulnerable...just noisy in terms of the network.
12-09-2003 01:32 PM
I understand that machines can remain infected even though patched.
My question was that so far, all identified Nachi infections trigger three signatures (the ones mentioned above).
BUT periodically we see machines that just trigger the 2156 signature and no others. And so I was wondering if this can be classed as Nachi in such a black and white manner, or if there indeed may be something else going on.
12-09-2003 01:40 PM
Just as a note, could this be the Nachi patcher worm? It perhaps uses the same discovery mechanism as Nachi (hence the 2156 signature match), but does not trigger the other DCOM signatures.
Is this plausible? I can't remember what this was called, or if there was one.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide