Ian
Stole All the Forum Stars
Good things come to those who wait ...
Posts: 2913
|
 |
W32/Nachi.A
« on: Aug 20th, 2003, 6:26pm » |
 Quote  Modify
|
A Blaster variant, perhaps the product of the Chinese 'DCOM RPC Exploit' toolkit that's out there for folk to play with. This one is 'nicer' than most because it has a 'sell-by' date...
W32/Nachi.A This malicious code is programmed to exploit the RPC DCOM vulnerability that affects some versions of the Windows operating system in order to spread to as many computers as possible.
Nachi.A does not spread via e-mail but attacks remote machines via TCP/IP and tries to cause a buffer overflow in them. After doing this, the attacked computer is forced to download a copy of the worm, which is done through a TFTP (Trivial File Transfer Protocol) server incorporated in this worm.
This worm, which originated in China, can also use another exploit known as WebDav. Information about this exploit and the patch to fix it are available at the following address:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bulletin/ms03-007.asp
The worm is programmed to delete itself from the affected computer in 2004. Another interesting characteristic of Nachi.A is that it can uninstall the Blaster worm. In order to do this, it destroys the process and deletes the files belonging to this worm. However, not only does it remove this worm but it also installs the Microsoft patch that fixes the vulnerability it exploits on affected computers.
|
Mischel Internet Security Forum
Reply
Notify of replies
Send Topic
Print
Author
IP Logged
Search
Members
Login
Register