How is this Natchi worm being passed?
- Jeff_pony
- Moderator
- Posts: 8790
- Joined: January 5th, 2003, 12:38 pm
- Location: (.uk)
- Contact:
How is this Natchi worm being passed?
So ok, everytime I have installed windows XP (I have had to do it a lot the passed day what with getting a new puter running) the Natchi worm always seems to appear. Now the slipstreamed CD I made for SP1 was burned ages ago before this worm became known. So either this worm has been dormant for a long time or some how keeps getting placed on my system through the internet. Even thyough I have set up a firewall, etc. So any ideas what it might be causing it?
Please PM the mod team when you see a rule infraction
Life State:: McLovin it
Camino v2.1 (pre)
Life State:: McLovin it
Camino v2.1 (pre)
-
- Posts: 0
- Joined: December 31st, 1969, 5:00 pm
http://vil.nai.com/vil/content/v_100559.htm wrote:This worm spreads by exploiting a vulnerability in Microsoft Windows. It scans the local class-b subnet (port 135) for target machines. It sends an ICMP ping to potential victim machines, and upon a reply, sends the exploit data. A remote shell is created on the target system which connects to the infected machine on a TCP port in the range 666-765. Victim machines are instructed to download the worm via TFTP.
Irrespective of anti-virus detection, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine will send packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine.
By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, in-turn solving these symptoms. It is very important that the machine is rebooted after the patch has been installed.
Web servers (IIS 5) that are vulnerable to an MS03-007 attack (port 80), via WebDav, are also vulnerable to the virus propagating though this exploit.
Are you using a software firewall or a hardware firewall? You should block incoming traffic on all ports until you get your system patched.
-
- Moderator
- Posts: 0
- Joined: December 31st, 1969, 5:00 pm
- Jeff_pony
- Moderator
- Posts: 8790
- Joined: January 5th, 2003, 12:38 pm
- Location: (.uk)
- Contact:
-
- Moderator
- Posts: 0
- Joined: December 31st, 1969, 5:00 pm
The heavy RPC DCOM pinging by this worm is what's causing all your system instability. It'll cause crashes and reboots galore.
Here's some resources if you need it:
http://forums.mcafeehelp.com/viewtopic.php?t=13690
http://forums.mcafeehelp.com/viewtopic.php?t=13554
Symantec offers a great free cleaning tool
http://www.symantec.com/avcenter/venc/d ... .tool.html
There's no such thing as a good worm
Here's some resources if you need it:
http://forums.mcafeehelp.com/viewtopic.php?t=13690
http://forums.mcafeehelp.com/viewtopic.php?t=13554
Symantec offers a great free cleaning tool
http://www.symantec.com/avcenter/venc/d ... .tool.html
There's no such thing as a good worm
- Jeff_pony
- Moderator
- Posts: 8790
- Joined: January 5th, 2003, 12:38 pm
- Location: (.uk)
- Contact:
-
- Posts: 16224
- Joined: March 9th, 2003, 8:12 am