Nachia B Worm, Microsoft XML

Published: 2004-02-12
Last Updated: 2004-02-12 23:24:06 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Nachi B

'Nachi-B' (aka W32.Welchia.B.Worm) started to circulate yesterday.
Like Nachi-A, which was released last August, Nachi-B uses the
RPC DCOM vulnerability and the IIS WebDav vulnerability to enter
a system.

However, Nachi-B adds the Workstation service buffer overflow (MS03-049)
and the Locater service vulnerability (MS03-001) to its arsenal.

In addition to patching for the RPC DCOM vulnerability for some versions
of Windows, it will removed files left behind by MyDoom.

Infected machines will generate traffic to port 135 tcp, 80 tcp, 139 tcp and 445 tcp.

Our data illustrates the spread of this virus. See the increase in traffic to
port 80: http://isc.sans.org/port_details.html?port=80 , and to port 445: http://isc.sans.org/port_details.html?port=445 over the last two days. Approximately, an additional 70,000 is scanning these two ports.

For additional information, see these summaries:

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.b.worm.html

http://www.sophos.com/virusinfo/analyses/w32nachib.html

http://www.f-secure.com/v-descs/welchi_b.shtml
Microsoft XML Patch

Microsoft patch MS04-004 ("Cumulative Security Update for Internet Explorer"), which was released earlier in February, removed the ability to add credentials to http and https URLs. However, this patch removed the ability to add a username
and password to XMLHTTP.open calls.

The exact behavior is explained here: http://support.microsoft.com/default.aspx?scid=kb;en-us;832414
A fix was released to solve the problem with XMLHTTP.open calls.

-------------------------

Johannes Ullrich, SANS Institute, jullrich_AT_sans.org

Feedback: http://isc.sans.org/contact.html

Keywords:
0 comment(s)

Comments


Diary Archives