Another Virus -- W32/Nachi -- Exploits a Widespread Windows Bug

This information can be freely reproduced in any medium, as long as the information is unmodified.

On 18 August 2003, the W32/Nachi worm was discovered. Since it exploits a bug found in Windows NT 4, Windows 2000, Windows XP, and Windows 2003 Server, it is not a threat to Macintosh users or users of other operating systems (Win9x and WinME are not vulnerable either). Other malware has already exploited this vulnerability; ho hum. See e.g., our Lovsan writeup, for example.

We have had drivers online to handle this here at U-M since before 14:00 EDT on 18 August, so VirusScan 4.5.1 and VirusScan 7.0 users should have been protected against this worm within an hour thereafter -- assuming that one uses antivirus software and keeps it updated.

Nachi is detected generically by VirusScan 4286 drivers from 18 August 2003. More info on Nachi at NAI's W32/Nachi writeup (leaving our site).

Unfortunately, it appears that many people worldwide do not use top quality antivirus software, or if they do, they do not keep it updated. Moreover, it would also appear that many people do not apply Windows Updates regularly....

This uses the exploit discussed in Microsoft's MS03-026 Windows vulnerability bulletin (leaving our site), released 17 July 2003. Since this vulnerability is present in all NT-class versions of Windows Since Win NT 4, it is extremely wide-spread, which means than millions and millions of machines are at risk....

My recommendations (but you may prefer those procedures suggested by antivirus vendors in the three URLs linked here instead):

If you are not already infected, take action NOW so that you are protected. Disable DCOM, install antivirus software and keep it current, and install Windows Updates -- the "critical" ones, at least. Details below in the next section.

If you are infected: My sympathies. Here's how to start digging out:

1. Remove the afflicted computer from the network (dialup, ethernet, whatever). We don't want it spewing at others, or getting compromised again after we fix it. Powering it down is a good idea, too.

2. On another computer, download Stinger 1.8.3 (or more recent, if one exists) to diskette from NAI's Stinger website (leaving our site).

3. Boot the afflicted machine in Safe Mode (plain Safe Mode, not "Safe Mode with Networking" or Safe Mode Command Prompt" and, if it's XP (or ME, but that doesn't apply here) disable System Restore. [NT 4 users can try booting in VGA mode, but this will be very ugly for them, I fear.]

4. Run Stinger from diskette and save a logfile (automatically saved to the same place Stinger is, so that'll either be on the diskette, or in the folder to which you copied Stinger if you moved it to the hard drive first).

5. IT IS VERY IMPORTANT TO SAVE THE LOGFILE IN CASE THERE ARE PROBLEMS LATER. DO NOT FORGET THIS STEP!

6. Assuming Stinger cleans up successfully, I recommend that home users disable DCOM -- those on a network should ask their system administrators what the proper policy is:
   • Run DCOMCNFG.EXE in a DOS window.

   • If you are running WinXP or Windows Server 2003, open Components Services, then the Computers folder; now right-click on the My Computer icon in that folder and choose Properties.

   • For all NT-class versions of Windows (NT, 2000, XP, Server 2003): Click on the Default Properties tab and un-check the box

   CAVEAT: Doing this will disable some stuff. But almost surely not if you are a home user, and probably not if you're on a network, either. The only things I know of that use DCOM are:

   * Microsoft Access Workflow Designer
   * FrontPage with Visual Source Safe on IIS
   * BizTalk Server schedule client
   * Excel uses DCOM if it includes an RTD statement
   * SMS uses DCOM to get the hardware inventory off a client
   * Win95 needs Client for Microsoft Networks or DCOM to work with MS SNA Server

   Use any of those?

   Didn't think so. Neither do I.

   [These products were gleaned from NTBUGTRAQ's archives (leaving our site>.]

   [Microsoft Visual SourceSafe (VSS) uses DCOM also, apparently, and I know of one place on campus that uses VSS. So for them, at least, disabling DCOM is a less attractive option. Hence I recommend that sysadmins consider disabling DCOM on a few test machines to which you have physical access. If all goes well, do it across the board; if not, at least it's easy to re-enable DCOM manually.]

7. Install antivirus software if you haven't already. Do this WITHOUT connecting to the network, e.g., U-M folks can install VirusScan from the Blue Disc, or go to an uninfected machine and download the most recent installer from our VirusScan Download page and run it from a ZIPdisk. If necessary, boot your compromised computer in Normal Mode to install.

8. Now update your antivirus software, again without connecting to the network. For example, if you are a member of the U-M community, you could download the current SuperDAT from our VirusScan download page and install it from ZIPdisk or CD. [Alternately you could try booting in Safe Mode with Networking, and downloading the SuperDAT directly. But this is not as safe... and appears not to work for dialup connections. Only for those who connect to the network directly.]

9. Now install critical Windows updates -- again, ideally without connecting to the network: if you download the updates you need, you can burn them to CD and install them that way.

   [Alternately, as in Step 6: if you don't come in via a modem, you can boot in Safe Mode with Networking and run Windows Update, but it is not as safe as the "all local" option. Also, when Windows Update asks to reboot, remember to continue booting in Safe Mode with Networking!]

   Do NOT run a Windows Update after booting in normal Mode now; see Step 11.

   [At the very least, most folks will want to install the patch discussed in MS03-026. Personally, I didn't -- I don't trust Windows Updates; I prefer disabling DCOM, a service I don't use at all. But unless you know more than I do about this, you probably should do as I say, not as I do!

   The patch is available from Microsoft (leaving our site) .... look for the Patch availability header.]

10. Now boot normally, reconnect to the network, and IMMEDIATELY perform an autoupdate for your antivirus product. And I mean NOW. Like "within 10 seconds of reconnecting." Even that may not be quickly enough, but at least you have a chance.

    Why so fast? Because the bad guys (and malware) are scanning the networks all the time. If they find you and you're vulnerable, BAM! All that work was for nothing. SO IMMEDIATELY UPDATE YOUR ANTIVIRUS PRODUCT!!!

11. If you didn't run a Windows Update in Step 9, run it IMMEDIATELY after Step 10. No dawdling!

12. You may find it less likely that you'll get bitten again if you follow our security recommendations laid out here.

You can find alternate procedures for removal at the NAI URLs above.

If your computer still misbehaves, you may need to boot from the Windows CD and attempt to repair Windows, install Windows in another folder, or perform a clean install of Windows, or even format your hard drive. These topics are beyond the scope of this discussion.

The URL for this document is http://www.umich.edu/~virus-busters/nachi.html
For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

   -BPB