How is this Natchi worm being passed?

Post by **Jeff_pony** » September 4th, 2003, 5:58 am

So ok, everytime I have installed windows XP (I have had to do it a lot the passed day what with getting a new puter running) the Natchi worm always seems to appear. Now the slipstreamed CD I made for SP1 was burned ages ago before this worm became known. So either this worm has been dormant for a long time or some how keeps getting placed on my system through the internet. Even thyough I have set up a firewall, etc. So any ideas what it might be causing it?

old momokatte · Post by **old momokatte** » September 4th, 2003, 6:10 am

http://vil.nai.com/vil/content/v_100559.htm wrote:This worm spreads by exploiting a vulnerability in Microsoft Windows. It scans the local class-b subnet (port 135) for target machines. It sends an ICMP ping to potential victim machines, and upon a reply, sends the exploit data. A remote shell is created on the target system which connects to the infected machine on a TCP port in the range 666-765. Victim machines are instructed to download the worm via TFTP.

Irrespective of anti-virus detection, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine will send packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine.

By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, in-turn solving these symptoms. It is very important that the machine is rebooted after the patch has been installed.

Web servers (IIS 5) that are vulnerable to an MS03-007 attack (port 80), via WebDav, are also vulnerable to the virus propagating though this exploit.

Are you using a software firewall or a hardware firewall? You should block incoming traffic on all ports until you get your system patched.

September 4th, 2003, 6:20 am

Jeff -- Are ya all patched up with respect to Windows Updates?

Post by **Jeff_pony** » September 4th, 2003, 6:23 am

harrywaldron wrote:Jeff -- Are ya all patched up with respect to Windows Updates?

Doing it atm. I am just suprised it can be placed on my system with such ease, I though it was a e-mail virus....

September 4th, 2003, 6:31 am

The heavy RPC DCOM pinging by this worm is what's causing all your system instability. It'll cause crashes and reboots galore.

Here's some resources if you need it:

http://forums.mcafeehelp.com/viewtopic.php?t=13690
http://forums.mcafeehelp.com/viewtopic.php?t=13554

Symantec offers a great free cleaning tool

http://www.symantec.com/avcenter/venc/d ... .tool.html

There's no such thing as a good worm

Post by **Jeff_pony** » September 4th, 2003, 6:35 am

Argh the scary tiger wig wearing thing!!! Well I am using Mcaffe Pro 7 and it found and deleted the worm. I suppose I am just suprised how much a firewall is needed in this day and age....

Dunderklumpen · Post by **Dunderklumpen** » September 4th, 2003, 9:27 am

Jeff_pony wrote:Argh the scary tiger wig wearing thing!!! Well I am using Mcaffe Pro 7 and it found and deleted the worm. I suppose I am just suprised how much a firewall is needed in this day and age....

Told you so...