How to remove W32/Nachi.worm

This W32/Nachi.worm is a type of computer virus which spreads without user action and that distributes complete copies of itself across networks (such as the Internet). Generally known as "Nachi," this new worm exploits the vulnerabilities that were addressed by Microsoft Security Bulletins MS03-026 (823980) and MS03-007 (815021) to spread itself over networks by using open Remote Procedure Call (RPC) ports or the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol that is supported by Internet Information Server (IIS) 5.0.
It is also know as .
W32.Welchia.worm (NAV)
W32/Nachi!tftpd
W32/Nachi.worm.a
WORM_MSBLAST.D (Trend)
Installation
To ensure only one instance of the worm on the victim machine, a mutex of the following name is created:
RpcPatch_Mutex
The virus installs itself within a WINS directory in the Windows System directory:
C:\WINNT\SYSTEM32\WINS\DLLHOST.EXE (10,240 bytes)
The virus attempts to copy the TCP/IP trivial file transfer daemon (TFTPD.EXE) binary from the dllcache on the victim machine to this directory also, renaming it:
C:\WINNT\SYSTEM32\WINS\SVCHOST.EXE
Note: If TFTPD.EXE is not present on the target machine, this copy will fail. TFTPD.EXE only exists by default on specific OSes.
The following services are installed:
1. RpcPatch Set to run the installed copy of the worm (DLLHOST.EXE)
Display name: "WINS Client"
2. RpcTftpd Set to run the copy of the TFTPD application (SVCHOST.EXE)
Display name: "Network Connections Sharing"
Symptoms -
· large volumes of ICMP traffic in network
· existence of the files and Windows services detailed above
To prevent this virus from infecting your computer, follow these steps:
1. Enable the Internet Connection Firewall feature (ICF) in Windows XP, in Windows Server 2003, Standard Edition, and in Windows Server 2003, Enterprise Edition; or use Basic Firewall, Microsoft Internet Security and Acceleration (ISA) Server 2000, or a third-party firewall to block TCP ports 135, 139, 445, and 593; UDP ports 69 (TFTP), 135, 137, and 138; and TCP port 80.
To enable the ICF in Windows XP or Windows Server 2003, follow these steps:
1. Click Start, and then click Control Panel.
2. In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.
3. Right-click the connection where you want to enable ICF, and then click Properties.
4. Click the Advanced tab, and then click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box.
Note Some dial-up connections may not appear in the Network Connection folders. For example, AOL and MSN dial-up connections may not appear. Sometimes, you can use the following procedure to enable ICF for a connection that does not appear in the Network Connection folder. If these steps do not work, contact your Internet service provider (ISP) for information about how to firewall your Internet connection.
5. Start Internet Explorer.
6. On the Tools menu, click Internet Options.
7. Click the Connections tab, click the dial-up connection that you use to connect to the Internet, and then click Settings.
8. In the Dial-up settings area, click Properties.
9. Click the Advanced tab, and then click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box.