W32/Nachi Information

If you are noticing a slow down in your internet connection or at times your connection to the network on campus fails, your computer mightbe infected with Nachi. Nachi is a worm that infects computers in the same manner as the Blaster worm using the RPC exploit. Once infected with Nachi, the worm attemps to patch your computer against the RPC exploint, remove the blaster worm is present and then scans the network for other vulnerable hosts. This scanning of hosts by the Nachi worm is what is slowing your internet connection down.

Nachi exploits multiple windows vulnerablities, including:

 

Products Affected by Nachi
  • Windows Server 2003
  • Windows XP Professional
  • Windows XP Home
  • Windows 2000 Server
  • Windows 2000 Professional
  • Window NT 4.0

Products Not Affected by Nachi
  • Windows Me (Millennium)
  • Windows 98 SE
  • Windows 98
  • Windows 95

 

How to tell your computer is Infected
Users whose computers are infected my notice at times that there internet or network connection becomes slow or sluggish. Users may also notice large amounts of network traffic. Signs of infections are also indicated by the presence of the process DLLHOST.EXE acively running on their computer.

 

Steps to Remove the Infection and Patch your System.

  1. Download the Blaster/SoBig/Nachi Removal tool from the King's Sophos Anit-Virus Site. Follow the instructions on the site on how to download the Resolve Tool
  2. Download the Appropriate RPC Patch for your Computer. Select the Patch that was designed for your system. If you are not sure what version of windows you are running, click here.
    RPC/DCOM Patches KB824146
    Version Download
    Windows XP (All)
    Windows 2000 (All)
    Windows NT 4.0 (Workstation)
    Windows NT 4.0 (Server)

  3. Run Windows Update to ensure that your computer is up tp date with other patches.
  4. Disconnect your Computer from the internet or Network
  5. Run the disinfection Tool to remove any Blaster Infections
  6. After the diinfection tool completes, run the Patch.
  7. After the patch installs your computer will need to be rebooted. Reattach your computer to the network.

    At this point your computer should be clean and protected from further exploits of the RPC vulnerability.

Steps to Take to Prevent Future virus Problems

  1. Install Anti virus Software
    It is important to that you install and keep your anti-virus software up to date. As new viruses come out anti-virus software makers have to release updates to their products so that their software can recognize the new viruses. If your AV software is not up to date then it can not protect you from newer viruses. If you do not have Anti-virus software or your current Anti-Virus software is old you can download Sophos Anti-Virus from the King's College Sophos Anti-Virus Page. Sophos Anti-Virus is available free of charge to current King's College Student's, Faculty and Staff for use on their personal computers.

  2. Keep Windows Up to Date
    Microsoft routinely make corrections to the Windows Operating System to correct security problems and bugs that are discovered in Windows. Windows makes these fixes and patches available free of charge to windows users. The easiest way to install and to check that your Windows version is complete is to visit the Windows Update site on a regular basis. Installing the critical hot fixes, service packs and patches found on the Windows Update site can help in preventing your computer to fall victim to worms and viruses that exploit know security issues. Make visiting Windows Update a routine habit.

    Microsoft Windows Update Site - http://windowsupdate.microsoft.com

  3. Install a Firewall on your Computer
    A firewall is a program that runs on your computer to help prevent people or viruses from getting into your computer. Windows XP has a firewall built into the Operating System.

    Windows XP users: You can use the instructions below to turn on the Internet Connection Firewall (ICF) in Windows XP or refer to KB article 283673 HOW TO: Enable or Disable Internet Connection Firewall in Windows XP.
    .
    1. On the taskbar at the bottom of your screen, click Start, and then click Control Panel.
    2. Click the Network and Internet Connections category.
      (If the Network and Internet Connections is not visible, click Switch to Category View under Control Panel on the left side of the Control Panel window.)
    3. Click Network Connections.
    4. Right-click the Dial-up, LAN, or High-Speed Internet connection that you use to connect to the Internet, and then click Properties from the context menu.
    5. On the Advanced tab, under Internet Connection Firewall, select Protect my computer or network, and then click OK.
      The Windows XP firewall is now enabled.


    Windows NT 4.0 and Windows 2000 users: You will need to install a third-party firewall. Most firewall software for home users is available in free or trial versions. Check the following resources for more information on personal firewalls:
    McAfee Security
    Symantec
    ZoneAlarm Pro (Zone Labs)
    Tiny Personal Firewall (Tiny Software)

    Outpost Firewall (Agnitum)
    Kerio Personal Firewall (Kerio Technologies)
    BlackICE PC Protection (Internet Security Systems)

    Windows 2000 Users: Alternatively, you can take steps to block the affected ports so that your computer can be patched. Here are some modified instructions from the TechNet article HOW TO: Configure TCP/IP Filtering in Windows 2000.



Sophos Anti-Virus is provided for King's College Faculty, Staff and Students at no cost.