Selected viruses, spyware, and other threats: sorted alphabetically
Win32/Nachi.B |
Win32/Nachi.B is an internet worm infecting Windows 2000 and Windows XP systems. It is compressed via the UPX utility. Its size is 12800B.
Note: In the following text a symbolic inscription %windir% is used representing the name of the Windows operating system installation directory. The latter may differ for different computers. The subdirectory System or System32 placed in %windir% has a name %system%.
Upon activation the worm copies itself into the %system%\drivers directory under name: svchost.exe .
The worm also creates a mutex with the name WksPatch_Mutex and it registers itself as a service " WksPatch " with a random name made of two or three words.
The words taken for its name is picked from the following list of names:
Systems
Security
Remote
Routing
Performance
Network
License
Internet
Logging
Manager
Procedure
Accounts
Event
Provider
Sharing
Messaging
Client
Unless the operating system is a Japanese localization of Windows 2000 or XP it turns off the " RpcPatch " service, which is created by Nachi.A. It searches for an active worm MyDoom.A or MyDoom.B. When it finds it on the computer it cleans it by deleting the files taskmon.exe and shimgapi.dll (MyDoom.A) or explorer.exe a ctfmon.dll (MyDoom.B) from the %system% directory. It also deletes their entries in the system Registry that enabled their activation.
The Nachi.B worms changes the following system registries:
Changes the value of the following key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
By adding: " %SystemRoot%\System32\webcheck.dll
Adds the following line to the file %system%\drivers\etc\hosts : 127.0.0.1 localhost.
On Windows 2000 and XP with Japanese localization the worm searches for Microsoft IIS server. If it finds it the worm overwrites all the files with the following extensions:
.asp
.htm
.html
.php
.cgi
.stm
.shtm
.shtml
And adds the following text into their HTML code:
LET HISTORY TELL FUTURE !
1931.9.18
1937.7.7
1937.12.13 300,000 !
1941.12.7
1945.8.6 Little boy
1945.8.9 Fatso
1945.8.15
Let history tell future !
If the system is running Korean, Chinese or English Windows the worm tries to download and install the following patches for the system:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-043.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-049.asp
The worm takes advantage of several flaws in the Windows operating system and Microsoft IIS server for its spreading. It searches for vulnerable computers using an IP address generator. To transfer itself to an infected computer it uses its own simple HTTP server, which uses a random port number. The server answers requests only from the WksPatch.exe file to transfer the worm body. The HTTP server denies access to other files.
The worm deactivates itself after 120 days or after June 1 st 2004 .
The detection of Win32/Nachi.B using sample is added since version 1.623 .
In case you are using an older virus database an immediate update is necessary. To do that, click "Update Now" in the NOD32 Control Center.
1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.
