Showing results for 
Search instead for 
Did you mean: 

How to mitigate the effects of the Nachi worm




This documents describes the step to mitigate effects of Nachi Worm.


What is Nachi Worm?

Nachi Worm (W32 Nachi Worm) is an  another name for Welchia Worm, It falls in genere of Internet worms which is seen in form of DLLHOST.EXE on systems using Windows XP SP1, Windows 2000 SP4 and below.

In Microsoft IIS 5.0. Nachi uses a vulnerability to exploit DCOM(Distributed Component Object Model) interface of RPC (Remote Procedure Call)  which is present in detail at: Microsoft Security Bulletin MS03-026. It uses TCP port 135 and exploits the NTDLL.DLL vulnerability found in WebDav using TCP port 80, which is present in detail at: Microsoft Security Bulletin MS03-007


Once a system is infected by Nachi Worm what does the infected system do?

  • Nachi worm scans for active users
  • To infect the system it sends an ICMP echo or ping. This results in to a sudden increase in ICMP traffic.
  • In the infected system, Nachi worm removes the MS Blast Worm by application of a patch which ensures that other any threat should not infect the system using same vulnerability.
  • It opens a port 707 which is used to perform malicious jobs.
  • The worm deletes itself after the excution once the system clock is set to January 1, 2004.


Core issue

Many issues from the Nachi worm are from high volumes of 92-byte Internet Control Message Protocol (ICMP) type 8 (echo request) packets. Symptoms on Cisco devices include, but are not limited to, high CPU and traffic drops on the input interfaces.

This worm exploits two vulnerabilities previously disclosed by Microsoft.

For more information, refer to these documents:





The two worms that exploit systems unpatched for MS03-026 are referred to as Nachi and Blaster:




Problem Type

Currently under attack (security threats, worms & viruses)


Security Threats and Attacks



Microsoft Security Bulletin MS03-026

Buffer Overrun In RPC Interface Could Allow Code Execution (823980)


Microsoft Security Bulletin MS03-007

Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)

Content for Community-Ad