Hey, My proxy-firewall had been dying last week, well, I had a look at my swithces, well, I saw it goes crazy, full of broadcasts and well, Finally I found MR. NACHI worm in one laptop and soon I could see a lot of PCs are affected by this NASTY.. Well, you can clean it easily, but tell me, is there anything I could do not to affect PCs again... Please comment..

Manu

Hi there ...

hxxp://vil.nai.com/vil/content/v_100559.htm

maybe u try to create a "dumy" exe file so that the worm thinks that this pc is already infected

C:\WINNT\SYSTEM32\WINS\DLLHOST.EXE

So long

Guys,

I had come to know that it is a version of BLASTER or WELCHIA.. What ever, My network was affected badly, most ppl were simply using the PC to browse and not aware of Firewall or even antivirus.. Anyway, I cleaned almost every PCs, but still the threat remains.. I had read about it from various AV WEBsites, but still I wish to hear you ppl comments..

Manu

damn nice interesting link i was infected aswell mate

W32Nachi....majority of versions should be detectable by scnanning for port 707 on network segments, with the infected machines showing response.

You can use NMAP, or???. I use www.foundstone.com >> Resources>>Free Tools>>Scanning Tools>>Scanline 1.01

At C:\ promt type something like:
sl -ht 707 192.168.0.0-254

This will sweep the subnet you define (192.168.0.x) for systems with response from 707.

Make sure all systems are patched up with MS03-026 First!!! Otherwise, you'll just get infected again.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-039.asp

To innoculate, if you have no AntiVirus, use McAfee's free STINGER tool. Download it to the infected machine once you have it patched up.
http://vil.nai.com/vil/stinger/

This will identify, patch, then innoculate your systems.

-Hardcore

thanks m8 for this info... gladly i was not infected... but does anyone know something about the new nachi.b variant??

regards Mike