How to mitigate the effects of the Nachi worm

TCC_2 · ‎06-18-2009

Introduction:
References:

Introduction:

This documents describes the step to mitigate effects of Nachi Worm.

What is Nachi Worm?

Nachi Worm (W32 Nachi Worm) is an another name for Welchia Worm, It falls in genere of Internet worms which is seen in form of DLLHOST.EXE on systems using Windows XP SP1, Windows 2000 SP4 and below.

In Microsoft IIS 5.0. Nachi uses a vulnerability to exploit DCOM(Distributed Component Object Model) interface of RPC (Remote Procedure Call) which is present in detail at: Microsoft Security Bulletin MS03-026. It uses TCP port 135 and exploits the NTDLL.DLL vulnerability found in WebDav using TCP port 80, which is present in detail at: Microsoft Security Bulletin MS03-007

Once a system is infected by Nachi Worm what does the infected system do?

Nachi worm scans for active users
To infect the system it sends an ICMP echo or ping. This results in to a sudden increase in ICMP traffic.
In the infected system, Nachi worm removes the MS Blast Worm by application of a patch which ensures that other any threat should not infect the system using same vulnerability.
It opens a port 707 which is used to perform malicious jobs.
The worm deletes itself after the excution once the system clock is set to January 1, 2004.

Core issue

Many issues from the Nachi worm are from high volumes of 92-byte Internet Control Message Protocol (ICMP) type 8 (echo request) packets. Symptoms on Cisco devices include, but are not limited to, high CPU and traffic drops on the input interfaces.

This worm exploits two vulnerabilities previously disclosed by Microsoft.

For more information, refer to these documents: