Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Nachia B Worm, Microsoft XML SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Nachia B Worm, Microsoft XML
Nachi B

'Nachi-B' (aka W32.Welchia.B.Worm) started to circulate yesterday.
Like Nachi-A, which was released last August, Nachi-B uses the
RPC DCOM vulnerability and the IIS WebDav vulnerability to enter
a system.

However, Nachi-B adds the Workstation service buffer overflow (MS03-049)
and the Locater service vulnerability (MS03-001) to its arsenal.

In addition to patching for the RPC DCOM vulnerability for some versions
of Windows, it will removed files left behind by MyDoom.

Infected machines will generate traffic to port 135 tcp, 80 tcp, 139 tcp and 445 tcp.

Our data illustrates the spread of this virus. See the increase in traffic to
port 80: , and to port 445: over the last two days. Approximately, an additional 70,000 is scanning these two ports.

For additional information, see these summaries:
Microsoft XML Patch

Microsoft patch MS04-004 ("Cumulative Security Update for Internet Explorer"), which was released earlier in February, removed the ability to add credentials to http and https URLs. However, this patch removed the ability to add a username
and password to calls.

The exact behavior is explained here:;en-us;832414
A fix was released to solve the problem with calls.


Johannes Ullrich, SANS Institute,


I will be teaching next: Intrusion Detection In-Depth - SANS London October 2021


4246 Posts
ISC Handler
Feb 12th 2004

Sign Up for Free or Log In to start participating in the conversation!