Welcome to the Virus Encyclopedia of Panda Security.
|Alias:||W32/Nachi.Worm, W32.Welchia.Worm, Worm_MSBLAST.D|
It exploits the RPC DCOM and WebDAV vulnerabilities in order to spread. It can uninstall the worm Blaster and delete the file carrying this worm.
|Detection updated on:||Jan. 2, 2004|
|Yes, using TruPrevent Technologies
|Country of origin:||CHINA|
Nachi.A is a worm that infects only Windows 2003/XP/2000/NT computers. Nachi.A exploits the Buffer Overrun in RPC Interface vulnerability to spread to as many computers as possible.
Nachi.A spreads by attacking remote computers and exploits the vulnerability mentioned above to download a copy of itself to the compromised computer. In order to do this, Nachi.A incorporates its own TFTP (Trivial File Transfer Protocol) server.
Nachi.A can uninstall the worm Blaster, by ending its process and deleting the file carrying the worm.
If you have a Windows 2003/XP/2000/NT computer, it is highly recommendable to download the security patch from the Microsoft website. Access the web page for downloading the patch.
Moreover, Nachi.A can use another exploit known as WebDAV. More information about this vulnerability and the corresponding patch are available here.
A clear indication that Nachi.A has reached the computer is that the network traffic increases on the TCP 135 and 707 and UDP 69 ports.