FYI: New worm virus reported (W32/Nachi.A)

- Panda Software reports the appearance of a new worm called W32/Nachi.A -

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, August 19 2003 - Panda Software's Virus Laboratory has reported the appearance of a new worm called W32/Nachi.A. This malicious code is programmed to exploit the RPC DCOM vulnerability that affects some versions of the Windows operating system in order to spread to as many computers as possible.

Nachi.A does not spread via e-mail but attacks remote machines via TCP/IP and tries to cause a buffer overflow in them. After doing this, the attacked computer is forced to download a copy of the worm, which is done through a TFTP (Trivial File Transfer Protocol) server incorporated in this worm.

This worm, which originated in China, can also use another exploit known as WebDav. Information about this exploit and the patch to fix it are available at the following address: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-007.asp

The worm is programmed to delete itself from the affected computer in 2004. Another interesting characteristic of Nachi.A is that it can uninstall the Blaster worm. In order to do this, it destroys the process and deletes the files belonging to this worm. However, not only does it remove this worm but it also installs the Microsoft patch that fixes the vulnerability it exploits on affected computers.

Panda Software advises network administrators, IT managers and home users to immediately install the patches released by Microsoft to fix the RPC DCOM vulnerability. These are available at http://www.microsoft.com/security/security_bulletins/ms03-026.asp where you can also find detailed information about this flaw.

In order to avoid falling victim to attack, Panda Software advises users to update their antivirus solutions immediately. The multinational antivirus manufacturer has already released the updates, which ensure their antivirus solutions detect Nachi.A. Therefore, if your software is not configured to update automatically, you can update it from the company's website at http://www.pandasoftware.com/

Users can also detect this and other malicious code using the free, online antivirus, Panda ActiveScan, which is available on the company's website at http://www.pandasoftware.com

For more information about W32/Nachi.A and other viruses, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the "cut" and "paste" options to join the pieces of the URL.

----

As someone who has spent the last week cleaning computer after computer of the Blaster virus, I feel it's in the public interest to post the occasional notification of things such as this that can affect my fellow DUers. If you'd rather I not post these email notifications (I'm on several lists) let me know and I won't post any more here.

nt

:hi:
http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=104&topic_id=194904&mesg_id=194904

Not to mention the new Sobig variant
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html

I'm a techie and Lord knows I don't need my 300+ users getting another virus.

It installs itself, removes Blaster, installs the Microsoft patch, then removes itself at a later date???

I do so love living in the 21st century.

New variant of Sobig worm spreading fast today, W32/Sobig.F, already reports of several thousand infected PCs. It's a regular worm though, spreading by mail attachments.

Now if only people would start to use their brains before double clicking on any attachment that they get. Or start using more secure mail clients. :-|

:kick:

SOBIG is a mass-mailing worm that sends itself to all the email addresses that it finds on an infected PC.

Do not open anything that looks like these examples at work or at home! The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user, so don't trust it, as that will probably be from someone you know.

Messages are constructed as follows:Subject:

Your details
Thank you!
Re: Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Attachment:

your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
Body:

See the attached file for details
Please see the attached file for details
The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user.



SOBIG can download arbitrary files to the infected computer and executes them. The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers.

This functionality may also be used as a worm self-update feature. Under the correct conditions, SOBIG.F attempts to contact one of the list of master servers, which the author of the worm controls. Then, the worm retrieves a URL that it uses to determine where to get the Trojan file, downloads the Trojan file to the local computer, and then executes it.