Sign in to follow this  
Followers 0
themax90

Nachi Worm Removal

15 posts in this topic

#1 ·  Posted (edited)

I just got the Nachi Worm, apparently some idiot in Mid-West USA just let out a bunch of old viruses on the internet, thus the attacks on my dad, grandfather, and finally me. It came through a Microsoft RPC bug.

http://en.wikipedia.org/wiki/Nachi_worm

I recommend you all run this script because it may be on your computer without even knowing it.

Excutable:

http://www.filefactory.com/dlf/f/bb30ba/b/...742fc2ea809efed

Just click Search, and if you find it click remove. It will ask you to restart your computer to complete it with a Yes/No option.

I know it may not be useful but since a few people I know have it, I thought you might like to try it.

Disclaimer:

I, nor any parties associated, not limited to AutoIt Forums, Developers, Users, Moderators, AutoIt Smith(said direct party "Max Gardner") shall ever be held responsible for any actions ran by this script. If you do not agree, then please exit and delete the program. If you continue, you accept this agreement to not hold said party/s liable for any damages done to personal, intellectual, or virtual properties of said client (you) who is running this software.

WARNING : If you "HAPPEN" to be running a WINS server on your HOME PC then do not run this. However since most people do not use WINS, if you have no idea what I am talking about as a WINS Server then you can run this with no problem.

Edited by Jon

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

I tested your script and it said my computer was infected. I downloaded Symentec's

removal tool which said it wasn't infected. "C:\Windows\System32\Wins" existed

(hidden), but didn't contain any files.

Edited by Helge

Share this post


Link to post
Share on other sites

I recommend you all run this script because it may be on your computer without even knowing it.

No thanks.

A script that looks at the size of System32\Wins folder and deletes system files in a blind attempt to fix some maybe infection? I'm not sure if a Win2K OS would like this and could leave a system unbootable. I think you need to take care with sharing scripts like this. Your post also gives no warnings or good descriptions to what this script can do :D

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

I'm not attempting to be rude or anything Smith, but I did actually raise my eyebrows

some sceptical centimeters when I saw the way you did the checking. I also agree with

MHz, and I think adding a msgbox for confirmation is the least you can do.

Personally I would also add an agreement, where you disclam the responsibility for anything

that might happen to the computer when using your script :D

Edited by Helge

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

%systemdir%\Wins is created by the virus. It does not edit any files that are required for any Windows system to run. I repeat, the folder is CREATED by the virus. Running this will in NO way effect your computer but to get rid of it. It turns out Heldge that you have had the virus already but it was removed. Here is the information:

http://vil.nai.com/vil/content/v_100559.htm

http://www.symantec.com/security_response/...-99&tabid=2

http://www.viruslist.com/en/viruslist.html?id=65727

@Mhz

I know exactly what I am doing. If you do not like it, do not run it. WINS is not used by windows. As I said before it USUALLY is CREATED by the virus.

If you really want a disclaimer then add this.

SplashTextOn("", "I, nor any parties associated, not limited to AutoIt Forums, Developers, Users, Moderators, AutoIt Smith(said direct party "Max Gardner") shall ever be held responsible for any actions ran by said program.  If you do not agree, then please exit and delete this program.  If you continue, you accept this agreement to not hold said party/s liable for any damages done to personal, intellectual, or virtual properties of said client (you) who is running this software.")
Sleep(5000)
SplashOff()

Disclaimer:

I, nor any parties associated, not limited to AutoIt Forums, Developers, Users, Moderators, AutoIt Smith(said direct party "Max Gardner") shall ever be held responsible for any actions ran by this script. If you do not agree, then please exit and delete the program. If you continue, you accept this agreement to not hold said party/s liable for any damages done to personal, intellectual, or virtual properties of said client (you) who is running this software.

Edited by AutoIt Smith

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

@Mhz

I know exactly what I am doing. If you do not like it, do not run it. WINS is not used by windows. As I said before it USUALLY is CREATED by the virus.

Wins is folder that does exist after Windows is freshly installed. I have always had a Wins folder on WinXP. :D Edited by MHz

Share this post


Link to post
Share on other sites

You have the disclaimer. No need to argue henceforth.

Share this post


Link to post
Share on other sites

You have the disclaimer. No need to argue henceforth.

All I can say is that it is sad that you choose to make some disclaimer for not Warning people to deleting System files from their PC and making things possibly worse. And you base that on the Wins folder that already exists for a purpose. :D

You may get burnt when someone suffers.

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

@Mhz

Ok listen. Idiot. The file folder wins is not used by windows in ANY WAY. There is no way it would make it worse. Unless you are running a server on your HOME PC, then I do not think it will effect shit. The disclaimer has been posted. Please drop the subject.

Edit 1 : Look above I posted the disclaimer and a WINS Server warning. However since Microsoft sucks and nobody really trusts there server software anymore, it seems rather pointless.

Edited by AutoIt Smith

Share this post


Link to post
Share on other sites

@Mhz

Ok listen. Idiot. The file folder wins is not used by windows in ANY WAY. There is no way it would make it worse. Unless you are running a server on your HOME PC, then I do not think it will effect shit. The disclaimer has been posted. Please drop the subject.

http://support.microsoft.com/kb/244810/

Who is the idiot?

Share this post


Link to post
Share on other sites

#11 ·  Posted (edited)

• Microsoft Windows 2000 Advanced Server

• Microsoft Windows 2000 Datacenter Server

• Microsoft Windows 2000 Server

As I have all ready posted a warning about servers please drop the subject. I am not the idiot, you are for not reading what I said. Please just drop the subject. I have already had a bad enough day in the middle of 110 degree heat. I am sorry if I am being negitive, but disclaimers and warnings have been posted. Get off it.

Edit 1 : Look above I posted the disclaimer and a WINS Server warning. However since Microsoft sucks and nobody really trusts there server software anymore, it seems rather pointless.

WARNING : If you "HAPPEN" to be running a WINS server on your HOME PC then do not run this. However since most people do not use WINS, if you have no idea what I am talking about as a WINS Server then you can run this with no problem.

Posted before your reply. Edited by AutoIt Smith

Share this post


Link to post
Share on other sites

This is great... we're commenting a script in a friendly matter and is because

of that being called idiots. Well thats nice.

Share this post


Link to post
Share on other sites

No, it is not directed at you. Notice I did not use a plural sense. I said Idiot for mhz not realizing it is a server issue, after I have already posted a warning about it.

Share this post


Link to post
Share on other sites

Once again I do apologize for rough words, the heat is getting to me and I havn't quite been myself today.

Share this post


Link to post
Share on other sites

#15 ·  Posted (edited)

lol i think thats funny what the worm does in the description

The Welchia worm, also known as the "Nachia worm," is a computer worm that exploits a vulnerability in the Microsoft Remote procedure call (RPC) service similar to the Blaster worm. However unlike Blaster, it tries to help the user by downloading and installing security patches from Microsoft, so it is a helpful worm. Though even as it implies no harm, it can increase network traffic, reboot the infected computer, and more importantly—it operates without consent and does not log anything. It has had several different variants and childworms. It was discovered on August 18, 2003.

Once in the system, the worm would patch the vulnerability it used to gain access (thereby actually securing the system against other attempts to exploit the same method of intrusion) and run its payload, a series of Microsoft patches. It then would attempt to remove the "W32/Lovsan.worm.a" by deleting MSBLAST.EXE. If still in the system, the worm was programmed to self-remove on January 1, 2004, or after 120 days of processing, whichever would have come first.

While this worm did no apparent damage to individual systems — indeed, it actually helped to secure certain systems — it did create vast amounts of traffic by its transmission method, thereby slowing down the Internet and the Microsoft website. The worm also made some systems unstable by its workings, and, once the patches had been installed, it rebooted the system. Because of these effects, the worm was perceived as a threat, and a patch was released by all major anti-viral companies.

Fixing a system infected with the Welchia worm is very simple, involving several command-line processes:

Edited by WTS

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0