Nachia B Worm, Microsoft XML
Nachi B
'Nachi-B' (aka W32.Welchia.B.Worm) started to circulate yesterday.
Like Nachi-A, which was released last August, Nachi-B uses the
RPC DCOM vulnerability and the IIS WebDav vulnerability to enter
a system.
However, Nachi-B adds the Workstation service buffer overflow (MS03-049)
and the Locater service vulnerability (MS03-001) to its arsenal.
In addition to patching for the RPC DCOM vulnerability for some versions
of Windows, it will removed files left behind by MyDoom.
Infected machines will generate traffic to port 135 tcp, 80 tcp, 139 tcp and 445 tcp.
Our data illustrates the spread of this virus. See the increase in traffic to
port 80: http://isc.sans.org/port_details.html?port=80 , and to port 445: http://isc.sans.org/port_details.html?port=445 over the last two days. Approximately, an additional 70,000 is scanning these two ports.
For additional information, see these summaries:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.b.worm.html
http://www.sophos.com/virusinfo/analyses/w32nachib.html
http://www.f-secure.com/v-descs/welchi_b.shtml
Microsoft XML Patch
Microsoft patch MS04-004 ("Cumulative Security Update for Internet Explorer"), which was released earlier in February, removed the ability to add credentials to http and https URLs. However, this patch removed the ability to add a username
and password to XMLHTTP.open calls.
The exact behavior is explained here: http://support.microsoft.com/default.aspx?scid=kb;en-us;832414
A fix was released to solve the problem with XMLHTTP.open calls.
-------------------------
Johannes Ullrich, SANS Institute, jullrich_AT_sans.org
Feedback: http://isc.sans.org/contact.html
'Nachi-B' (aka W32.Welchia.B.Worm) started to circulate yesterday.
Like Nachi-A, which was released last August, Nachi-B uses the
RPC DCOM vulnerability and the IIS WebDav vulnerability to enter
a system.
However, Nachi-B adds the Workstation service buffer overflow (MS03-049)
and the Locater service vulnerability (MS03-001) to its arsenal.
In addition to patching for the RPC DCOM vulnerability for some versions
of Windows, it will removed files left behind by MyDoom.
Infected machines will generate traffic to port 135 tcp, 80 tcp, 139 tcp and 445 tcp.
Our data illustrates the spread of this virus. See the increase in traffic to
port 80: http://isc.sans.org/port_details.html?port=80 , and to port 445: http://isc.sans.org/port_details.html?port=445 over the last two days. Approximately, an additional 70,000 is scanning these two ports.
For additional information, see these summaries:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.b.worm.html
http://www.sophos.com/virusinfo/analyses/w32nachib.html
http://www.f-secure.com/v-descs/welchi_b.shtml
Microsoft XML Patch
Microsoft patch MS04-004 ("Cumulative Security Update for Internet Explorer"), which was released earlier in February, removed the ability to add credentials to http and https URLs. However, this patch removed the ability to add a username
and password to XMLHTTP.open calls.
The exact behavior is explained here: http://support.microsoft.com/default.aspx?scid=kb;en-us;832414
A fix was released to solve the problem with XMLHTTP.open calls.
-------------------------
Johannes Ullrich, SANS Institute, jullrich_AT_sans.org
Feedback: http://isc.sans.org/contact.html
Keywords:
0 comment(s)
My next class:
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
×
Diary Archives
Comments