This documents describes the step to mitigate effects of Nachi Worm.
What is Nachi Worm?
Nachi Worm (W32 Nachi Worm) is an another name for Welchia Worm, It falls in genere of Internet worms which is seen in form of DLLHOST.EXE on systems using Windows XP SP1, Windows 2000 SP4 and below.
In Microsoft IIS 5.0. Nachi uses a vulnerability to exploit DCOM(Distributed Component Object Model) interface of RPC (Remote Procedure Call) which is present in detail at: Microsoft Security Bulletin MS03-026. It uses TCP port 135 and exploits the NTDLL.DLL vulnerability found in WebDav using TCP port 80, which is present in detail at: Microsoft Security Bulletin MS03-007
Once a system is infected by Nachi Worm what does the infected system do?
Nachi worm scans for active users
To infect the system it sends an ICMP echo or ping. This results in to a sudden increase in ICMP traffic.
In the infected system, Nachi worm removes the MS Blast Worm by application of a patch which ensures that other any threat should not infect the system using same vulnerability.
It opens a port 707 which is used to perform malicious jobs.
The worm deletes itself after the excution once the system clock is set to January 1, 2004.
Many issues from the Nachi worm are from high volumes of 92-byte Internet Control Message Protocol (ICMP) type 8 (echo request) packets. Symptoms on Cisco devices include, but are not limited to, high CPU and traffic drops on the input interfaces.
This worm exploits two vulnerabilities previously disclosed by Microsoft.
Hi, I'm running outdated and unsupported v.4.9.3 with an HA pair of CAMs and HA pair of CASs. Using basic captive portal for both guest unsecured and employee secured wireless authentication, along with MAC AUTH. I have been using two SSL certificates ove...
Hi,After update to 12.1.0, https GUI cert was deleted. When I try to import it again get error "Certificate lifetime must not exceed 18250 days".AsyncOS v.11 worked correctly with the same certificate.Because of our company has Corporate Root CA until 207...
Server Version#: Version 184.108.40.2064Player Version#: Version 4.10.1 I have PMS installed on Debian Linux. I’m able to reach it when using <local_IP>:32400/web. I’m also able to see the server when I log into plex.tv. However, I’m having issues ...
Hi I hope you guys have already seens this. I am trying to assign a mac to a group (static assignement) and I get this:Unable to create the endpoint.Endpoint ZZ:ZZ:ZZ:ZZ:ZZ:ZZ already exists However when I search for the specifi...
Hi all , has anyone came across any cisco documentation on banner grabbing prevention ?example below from running zenmap with this command nmap -sV --script banner 10.0.0.59(truncated)5060/tcp open sip Tandberg-4137 VoIP server X12.5.15061/tcp ...