This documents describes the step to mitigate effects of Nachi Worm.
What is Nachi Worm?
Nachi Worm (W32 Nachi Worm) is an another name for Welchia Worm, It falls in genere of Internet worms which is seen in form of DLLHOST.EXE on systems using Windows XP SP1, Windows 2000 SP4 and below.
In Microsoft IIS 5.0. Nachi uses a vulnerability to exploit DCOM(Distributed Component Object Model) interface of RPC (Remote Procedure Call) which is present in detail at: Microsoft Security Bulletin MS03-026. It uses TCP port 135 and exploits the NTDLL.DLL vulnerability found in WebDav using TCP port 80, which is present in detail at: Microsoft Security Bulletin MS03-007
Once a system is infected by Nachi Worm what does the infected system do?
Nachi worm scans for active users
To infect the system it sends an ICMP echo or ping. This results in to a sudden increase in ICMP traffic.
In the infected system, Nachi worm removes the MS Blast Worm by application of a patch which ensures that other any threat should not infect the system using same vulnerability.
It opens a port 707 which is used to perform malicious jobs.
The worm deletes itself after the excution once the system clock is set to January 1, 2004.
Many issues from the Nachi worm are from high volumes of 92-byte Internet Control Message Protocol (ICMP) type 8 (echo request) packets. Symptoms on Cisco devices include, but are not limited to, high CPU and traffic drops on the input interfaces.
This worm exploits two vulnerabilities previously disclosed by Microsoft.
Hello All A guy said me it was possible to give 2 passwords in cisco -one for enable mode-an other for conf t i have never seen it. for me it s not possible for ios (nx os ?)could you confirm me whether it is possi...
If our organization uses a non-Cisco firewall but we have Cisco ISE installed in our environment, can the Anyconnect client be used to establish VPN connectivity into the organization and then further use Cisco Anyconnect ISE agent or ISE posture module t...
Hi,I'm trying to issue the API call below with a user account that has read-only access to ESA. It's getting a http:401 error - (Permission Denied)Can someone please confirm what level of access (or user role) do I need to be able to successfully call thi...
I am looking for an application based firewall as i am trying to block a game from being played on my home network,the game is dragon city run by facebook, i have tried wireshark for the ip but every time i run it the ip changes, unless i am doing somethi...
Good Afternoon, We have been battling the issue of Windows 10 2004 update removing the “User Guid” under the profiles list which is what the OpenDNS remote client uses to identify a user when off site. This has been an continual battle with try...