Nachi Worm

The Welchia/Nachi worm has been detected on campus. This worm attacks un-patched operating systems that are open to the RPC vulnerability.

Manual Removal Instructions

  1. Download and install both the 823980 and 815021 security patches on all your computers to address the vulnerability that is identified in Microsoft Security Bulletins MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution and MS03-007: Unchecked Buffer in Windows Component May Cause Web Server Compromise. Two of the new vulnerabilities might allow arbitrary code to be run; one of the new vulnerabilities might result in a denial of service without patch KB824146 these vulnerabilities were found after the Welchia/Nachi Worm.
  2. Terminate the following services
    1. WINS Client
    2. Network Connections Sharing
  3. Delete the DLLHOST.EXE and SVCHOST.EXE files from the WINS directory with your WINDOWS SYSTEM32 directory. For example, c:\winnt\system32\wins\svchost.exe.

    Note: a legitimate system file exists with the filename DLLHOST.EXE, which must not be deleted.

     
  4. Edit the registry to:
    • Delete the "RpcPatch" key from
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • Delete the "RpcTftpd" key from
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
  5. Go to http://windowsupdate.microsoft.com/ and apply all of the critical updates or update from Topaz. Update your anti-virus program to the latest signature files.

Additional Windows ME/XP removal considerations

Because of the way the worm works, it may be difficult to connect to the Internet to obtain the patch, definitions, or removal tool before the worm shuts down the computer. It has been reported that, for users of Windows XP, activating the Windows XP firewall may allow you to download and install the patch, obtain virus definitions, and run the removal tool. This may also work with other firewalls, although this has not been confirmed. Disable System Restore (Windows XP).

The update files are also available from the Topaz server at:

Windows XP
WindowsXP-KB824146-x86-ENU.exe Hotfix
Q815021_WXP_SP2_x86_ENU.exe Hotfix
xpsp1_en_x86.exe Service Pack 1

Windows 2000
 Windows2000-KB824146-x86-ENU.exe Hotfix
Q815021_W2K_sp4_x86_EN.EXE Hotfix
Windows_2000/W2KSP4_EN.EXE Service Pack 4

Automatic Removal

McAfee has a cleaner tool to remove the Nachi/Welchia Worm along with many other recent Worms and Trojans at:
http://download.nai.com/products/mcafee-avert/stinger.exe

Note: You must have administrative rights to run these tools on Windows NT 4.0, Windows 2000, or Windows XP.


A copy of the Stinger tool is also available on Topaz at stinger.exe

Or you can run the Symantec clean tool listed below:

  1. Download the FixWelch.exe file from: http://www.symantec.com/avcenter/FixWelch.exe. Or download it from the topaz server at FixWelch.exe
  2. Save the file to a convenient location, such as your downloads folder or the Windows desktop (or removable media known to be uninfected).
  3. Close all running programs before running the tool.
  4. If you are on a network or you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
  5. If you are running Windows Me or XP, then disable System Restore. Refer to the "System Restore option in Windows Me/XP" section later in this writeup for further details.

    Caution    : If you are running Windows Me/XP, we strongly recommend that you do not skip this step.
     
  6. Double-click the FixWelch.exe file to start the removal tool.
  7. Click Start to begin the process, and then allow the tool to run.
  8. Restart the computer.
  9. Run the removal tool again to ensure that the system is clean.
  10. If you are running Windows Me/XP, then re-enable System Restore.
  11. Make sure that you are using the most current virus definitions.

Note: The removal procedure may not be successful if Windows Me/XP System Restore is not disabled as previously directed, because Windows prevents System Restore from being modified by outside programs.
 

Users of Windows Me and Windows XP should temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, in some cases, online scanners may detect a threat in the System Restore folder even though you scanned your computer with an antivirus program and did not find any infected files.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:


For additional information and an alternative to disabling Windows Me System Restore, read the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Q263455)."

Go to http://windowsupdate.microsoft.com/ and apply all of the critical updates or update from Topaz.

Montana State University
MSU Home Search
© Copyright Montana State University Modified May 9, 2008