Microsoft KB Archive/826234

= Virus alert about the Nachi worm =

Article ID: 826234

Article Last Modified on 9/5/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, 64-Bit Enterprise Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Media Center Edition 2002
 * Microsoft Windows XP Tablet PC Edition
 * Microsoft Windows XP Professional for Itanium-based systems
 * Microsoft Windows XP Professional for Itanium-based systems
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Internet Information Services 5.0
 * Microsoft Windows NT Advanced Server 3.1
 * Microsoft Windows NT Server 3.51
 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows NT Server 4.0 Enterprise Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition

-





SUMMARY
On August 18, 2003, the Microsoft Product Support Services Security Team issued an alert to inform customers about a new worm. A worm is a type of computer virus that generally spreads without user action and that distributes complete copies (possibly modified) of itself across networks (such as the Internet). Generally known as &quot;Nachi,&quot; this new worm exploits the vulnerabilities that were addressed by Microsoft Security Bulletins MS03-026 (823980) and MS03-007 (815021) to spread itself over networks by using open Remote Procedure Call (RPC) ports or the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol that is supported by Internet Information Server (IIS) 5.0.

This article contains information for network administrators and IT professionals about how to prevent and how to recover from an infection from the Nachi worm. The Nachi worm is also known as W32/Nachi.worm (Network Associates), Lovsan.D (F-Secure), WORM_MSBLAST.D (Trend Micro), and W32.Welchia.Worm (Symantec).

Computers that are running any of the products that are listed at the beginning of this article are vulnerable if both the 823980 (MS03-026) and 815021 (MS03-007) security patches were not installed before August 18, 2003 (the date that this worm was discovered).

Note It has not been confirmed that any current versions of this worm have infected computers that are running Windows Server 2003 or Windows NT 4.0.

For additional information about recovering from this worm, contact your antivirus software vendor. For additional information about antivirus software vendors, click the following article number to view the article in the Microsoft Knowledge Base:

49500 List of antivirus software vendors

For additional information about the 823980 (MS03-026) and 815021 (MS03-007) security patches, click the following article numbers to view the articles in the Microsoft Knowledge Base:

823980 MS03-026: Buffer overrun in RPC may allow code execution

815021 MS03-007: Unchecked buffer in Windows component may cause Web server compromise



Symptoms of Infection
If your computer is infected with this worm, you may experience the same symptoms that are documented in Microsoft Knowledge Base article 826955 for the Blaster worm and its variants. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

826955 Virus alert about the Blaster worm and its variants

Additionally, the Dllhost.exe file or the Svchost.exe file may exist in your %windir%\System32\Wins folder.

Note Dllhost.exe or Svchost.exe are valid Windows files, but they are located in the %windir%\System32 folder, not in the %windir%\System32\Wins folder. Additionally, the Svchost.exe file that this worm copies to the %windir%\System32\Wins folder is a copy of the Windows Tftpd.exe file. The Dllhost.exe file that this worm copies to the %windir%\System32\Wins folder is a copy of the virus. The virus version of the file typically has a file size over 10,000 bytes. The valid Windows Dllhost.exe file has a file size of 5,632 bytes (Windows Server 2003), 4,608 bytes (Windows XP), or 5,904 bytes (Windows 2000).

Technical Details
Similar to the Blaster worm and its variants, this worm also exploits the vulnerability that is addressed in Microsoft Security Bulletin MS03-026. The worm instructs target computers to download a copy of the worm from an affected system by using the TFTP program.

In addition to exploiting the RPC vulnerability that is addressed in Microsoft Security Bulletin MS03-026, this worm also spreads itself by using the previously addressed vulnerability in Microsoft Security Bulletin MS03-007. This exploit is directed at IIS 5.0 over port 80.

Upon successful infection, this worm improperly installs the 823980 (MS03-026) security patch on infected computers by first determining the operating system and then downloading the associated security patch for that operating system. The improper installation of the files and registry settings that are associated with the 823980 (MS03-026) security patch may leave infected computers vulnerable to the issues that are documented in Microsoft Security Bulletin MS03-026 and may cause problems when you try to install the Microsoft version of the 823980 (MS03-026) security patch. The following symptoms may indicate that the 823980 (MS03-026) security patch was installed by the Nachi worm:  There is no entry for the 823980 (MS03-026) security patch in Add or Remove Programs tool. For example, Windows XP Hotfix - KB823980 does not appear in the Add or Remove Programs list. This problem remains even after you install the Microsoft version of the 823980 (MS03-026) security patch. This problem occurs because the worm installs the 823980 (MS03-026) security patch in &quot;no archive&quot; mode. An administrator can install the 823980 (MS03-026) security patch in &quot;no archive&quot; mode by using the /n switch.  The following entry appears in the system event log: Source: NtServicePack

Category: None

Event ID: 4359

User: NT AUTHORITY\SYSTEM

Description:  Hotfix KB823980 was installed. Note To sort the system event log by Source, click the Source column heading in Event Viewer. 

Prevention
To prevent this virus from infecting your computer, follow these steps:  Enable the Internet Connection Firewall feature (ICF) in Windows XP, in Windows Server 2003, Standard Edition, and in Windows Server 2003, Enterprise Edition; or use Basic Firewall, Microsoft Internet Security and Acceleration (ISA) Server 2000, or a third-party firewall to block TCP ports 135, 139, 445, and 593; UDP ports 69 (TFTP), 135, 137, and 138; and TCP port 80.

To enable the ICF in Windows XP or Windows Server 2003, follow these steps:  Click Start, and then click Control Panel. In Control Panel, double-click Networking and Internet Connections, and then click Network Connections. Right-click the connection where you want to enable ICF, and then click Properties.</li> Click the Advanced tab, and then click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box.</li></ol>

Note Some dial-up connections may not appear in the Network Connection folders. For example, AOL and MSN dial-up connections may not appear. Sometimes, you can use the following procedure to enable ICF for a connection that does not appear in the Network Connection folder. If these steps do not work, contact your Internet service provider (ISP) for information about how to firewall your Internet connection. <ol style="list-style-type: lower-alpha;"> Start Internet Explorer.</li> On the Tools menu, click Internet Options.</li> Click the Connections tab, click the dial-up connection that you use to connect to the Internet, and then click Settings.</li> In the Dial-up settings area, click Properties.</li> Click the Advanced tab, and then click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box.</li></ol>

For additional information about how to enable Internet Connection Firewall in Windows XP or in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

283673 HOW TO: Enable or disable Internet Connection Firewall in Windows XP

Note ICF is only available in Windows XP, in Windows Server 2003, Standard Edition, and in Windows Server 2003, Enterprise Edition. Basic Firewall is a component of Routing and Remote Access that you can enable for any public interface on a computer that is running both Routing and Remote Access and a member of the Windows Server 2003 family.</li> This worm uses two previously announced vulnerabilities as part of its infection method. Because of this, you must make sure that you have installed both the 823980 and 815021 security patches on all your computers to address the vulnerability that is identified in Microsoft Security Bulletins MS03-026 and MS03-007. The 824146 security patch replaces the 823980 security patch. Microsoft recommends that you install the 824146 security patch. This patch also includes the fixes for the issues that are addressed in Microsoft Security Bulletin MS03-026 (823980). For additional information about the 824146 security patch, click the following article number to view the article in the Microsoft Knowledge Base:

824146 A buffer overrun in RPCSS could allow an attacker to run malicious programs

For additional information about the 823980 security patch and any prerequisites (such as a service pack for your version of Windows), click the following article number to view the article in the Microsoft Knowledge Base:

823980 MS03-026: Buffer overrun in RPC interface may allow code execution

For additional information about the 815021 security patch and any prerequisites (such as a service pack for your version of Windows), click the following article number to view the article in the Microsoft Knowledge Base:

815021 MS03-007: Unchecked buffer in Windows component may cause Web server compromise

</li> Use the latest virus-detection signature from your antivirus vendor to detect new viruses and their variants.</li></ol>

Recovery
Best practices for security suggest that you perform a complete &quot;clean&quot; installation on a previously compromised computer to remove any undiscovered exploits that can lead to a future compromise. For additional information, visit the following CERT Coordination Center (CERT/CC) Advisory Web site:

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

However, many antivirus companies provide tools to remove the known exploit that is associated with this particular worm. To download the removal tool from your antivirus vendor, use one of the following procedures, depending on your operating system.

Recovery for Windows XP, Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition
<ol> Enable the Internet Connection Firewall (ICF) feature in Windows XP, in Windows Server 2003, Standard Edition, and in Windows Server 2003, Enterprise Edition; or use Basic Firewall, Microsoft Internet Security and Acceleration (ISA) Server 2000, or a third-party firewall.

To enable ICF, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, and then click Control Panel.</li> In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.</li> Right-click the connection where you want to enable ICF, and then click Properties.</li> Click the Advanced tab, and then click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box.</li></ol>

Notes  If your computer shuts down or restarts repeatedly when you try to follow these steps, disconnect from the Internet before you enable your firewall. If you connect to the Internet over a broadband connection, locate the cable that runs from your external DSL modem or cable modem, and then unplug that cable either from the modem or from the telephone jack. If you use a dial-up connection, locate the telephone cable that runs from the modem that is inside your computer to your telephone jack, and then unplug that cable either from the telephone jack or from your computer. If you cannot disconnect from the Internet, use the following command to configure RPCSS to not restart your computer when the service fails:

sc failure rpcss reset= 0 actions= restart

To reset RPCSS to the default recovery setting after you complete these steps, use the following command:

sc failure rpcss reset= 0 actions= reboot/60000

</li> <li>If you have more than one computer that share an Internet connection, use a firewall only on the computer that is directly connected to the Internet. Do not use a firewall on the other computers that share the Internet connection. If you are running Windows XP, use the Network Setup Wizard to enable ICF.</li> <li>Using a firewall should not affect your e-mail service or Web browsing, but a firewall can disable some Internet software, services, or features. If this behavior occurs, you may have to open some ports on your firewall for some Internet feature to work. To determine which ports you must open, see the documentation that is included with the Internet service that is not working. To determine how to open these ports, see the documentation that is included with your firewall. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

308127 How to manually open ports in Internet Connection Firewall in Windows XP

</li> <li>Sometimes, you can use the following procedure to enable ICF for a connection that does not appear in the Network Connections folder. If these steps do not work, contact your Internet service provider (ISP) for information about how to firewall your Internet connection. <ol style="list-style-type: lower-alpha;"> <li>Start Internet Explorer.</li> <li>On the Tools menu, click Internet Options.</li> <li>Click the Connections tab, click the dial-up connection that you use to connect to the Internet, and then click Settings.</li> <li>In the Dial-up settings area, click Properties.</li> <li>Click the Advanced tab, and then click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box.</li></ol> </li></ul>

For additional information about how to enable ICF in Windows XP or in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

283673 HOW TO: Enable or disable Internet Connection Firewall in Windows XP

Note ICF is only available in Windows XP, in Windows Server 2003, Standard Edition, and in Windows Server 2003, Enterprise Edition. Basic Firewall is a component of Routing and Remote Access that you can enable for any public interface on a computer that is running Routing and Remote Access and that is a member of the Windows Server 2003 family.</li> <li>Locate and then delete the following registry key if it exists:

To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, click Run, type regedit, and then click OK.</li> <li>Locate the following registry key:

</li> <li>Right-click the key, and then click Delete .</li></ol> </li> <li>Download and install both the 824146 and the 815021 security patches on all your computers to address the vulnerability that is identified in Microsoft Security Bulletins MS03-039, MS03-026, and MS03-007. For additional information about the 824146 security patch and any prerequisites (such as a service pack for your version of Windows), click the following article number to view the article in the Microsoft Knowledge Base:

824146 A buffer overrun in RPCSS could allow an attacker to run malicious programs

For additional information about the 823980 security patch and any prerequisites (such as a service pack for your version of Windows), click the following article number to view the article in the Microsoft Knowledge Base:

823980 MS03-026: Buffer overrun in RPC interface may allow code execution

For additional information about the 815021 security patch and any prerequisites (such as a service pack for your version of Windows), click the following article number to view the article in the Microsoft Knowledge Base:

815021 MS03-007: Unchecked buffer in Windows component may cause Web server compromise

</li> <li>Install or update your antivirus signature software, and then run a complete system scan.</li> <li>Download and then run the worm-removal tool from your antivirus vendor.</li></ol>

Recovery for Windows 2000 and Windows NT 4.0
The Internet Connection Firewall feature is not available in Windows 2000 or Windows NT 4.0. If Microsoft Internet Security and Acceleration (ISA) Server 2000 or a third-party firewall is not available to block TCP ports 135, 139, 445 and 593; UDP ports 69 (TFTP), 135, 137, and 138; and TCP port 80, follow these steps to help block the affected ports for local area network (LAN) connections. TCP/IP Filtering is not available for dial-up connections. If you are using a dial-up connection to connect to the Internet, you should enable a firewall. <ol> <li>Configure TCP/IP security. To do this, use the procedure for your operating system.

Windows 2000 <ol style="list-style-type: lower-alpha;"> <li>In Control Panel, double-click Network and Dial-up Connections.</li> <li>Right-click the interface that you use to access the Internet, and then click Properties.</li> <li>In the Components checked are used by this connection box, click Internet Protocol (TCP/IP), and then click Properties.</li> <li>In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced.</li> <li>Click the Options tab.</li> <li>Click TCP/IP filtering, and then click Properties.</li> <li>Click to select the Enable TCP/IP Filtering (All adapters) check box.</li> <li>There are three columns with the following labels: <ul> <li>TCP Ports</li> <li>UDP Ports</li> <li>IP Protocols</li></ul>

In each column, click the Permit Only option.

For additional information about the ports that should be open for domains and trusts, click the following article number to view the article in the Microsoft Knowledge Base:

179442 How to configure a firewall for domains and trusts

</li> <li>Click OK.

Notes <ul> <li>If your computer shuts down or restarts repeatedly when you try to follow these steps, disconnect from the Internet before you enable your firewall. If you connect to the Internet over a broadband connection, locate the cable that runs from your external DSL or cable modem, and then unplug that cable either from the modem or from the telephone jack. If you use a dial-up connection, locate the telephone cable that runs from the modem that is inside your computer to your telephone jack, and then unplug that cable either from the telephone jack or from your computer.</li> <li>If you have more than one computer that share an Internet connection, use a firewall only on the computer that is directly connected to the Internet. Do not use a firewall on the other computers that share the Internet connection.</li> <li>Using a firewall should not affect your e-mail service or Web browsing, but a firewall can disable some Internet software, services, or features. If this behavior occurs, you may have to open some ports on your firewall for some Internet feature to work. To determine which ports you must open, see the documentation that is included with the Internet service that is not working. To determine how to open these ports, see the documentation that is included with your firewall.</li> <li>These steps are based on a modified excerpt from Microsoft Knowledge Base article 309798. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

309798 How to configure TCP/IP Filtering in Small Business Server 2003

</li></ul> </li></ol>

Windows NT 4.0 <ol style="list-style-type: lower-alpha;"> <li>In Control Panel, double-click Network.</li> <li>Click the Protocol tab, click TCP/IP Protocol, and then click Properties.</li> <li>Click the IP Address tab, and then click Advanced.</li> <li>Click to select the Enable Security check box, and then click Configure.</li> <li>In the TCP Ports column, the UDP Ports column, and the IP Protocols column, click to select the Permit only setting.</li> <li>Click OK, and then close the Network tool.</li></ol> </li> <li>Download and install both the 824146 and the 815021 security patches on all your computers to address the vulnerability that is identified in Microsoft Security Bulletins MS03-039, MS03-026, and MS03-007. The 824146 security patch replaces the 823980 security patch. Microsoft recommends that you install the 824146 security patch. This patch also includes fixes for the issues that are addressed in Microsoft Security Bulletin MS03-026 (823980). For additional information about the 824146 security patch, click the following article number to view the article in the Microsoft Knowledge Base:

824146 A buffer overrun in RPCSS could allow an attacker to run malicious programs

For additional information about the 823980 security patch and any prerequisites (such as a service pack for your version of Windows), click the following article number to view the article in the Microsoft Knowledge Base:

823980 MS03-026: Buffer overrun in RPC interface may allow code execution

For additional information about the 815021 security patch and any prerequisites (such as a service pack for your version of Windows), click the following article number to view the article in the Microsoft Knowledge Base:

815021 MS03-007: Unchecked buffer in Windows component may cause Web server compromise

</li> <li>Install or update your antivirus signature software, and then run a complete system scan.</li> <li>Download and then run the worm-removal tool from your antivirus vendor.

Network Associates

http://vil.nai.com/vil/content/v_100559.htm

Trend Micro

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.D

Symantec

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

For more information about the Virus Information Alliance (VIA), visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/alerts/info/via.mspx

</li></ol>

Keywords: KB826234

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.