Nachi Worm

Discussion in 'Software' started by MrPewty, Aug 31, 2003.

  1. MrPewty

    MrPewty MajorGeek

    I recently bought a PC for my daughter at university, and set it up in her room. It came with XP home installed, and I installed Zone Alarm and AVG. AVG picked up the nachi worm right away, during the first sweep after installation, and cleaned it. A little later I got a pop up from AVG that Nachi had been detected, and I should run AVG right away. I did so, and it said the computer was clean. I had downloaded a fix for nachi from an outfit called Sophos called - RESOLVE W32/Nachi-A self-extractor-. I ran it, and it found 1 infected file still on the hard drive, and cleaned it.

    This was yesterday. Today my Daughter emails me to say that the virus alert from AVG has returned. Any thoughts? I don't think this worm is malicious, but as Sophos says, "no virus is a good virus"
     
    MrPewty, Aug 31, 2003
    #1
  2. Thunder

    Thunder Private E-2

    http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.html

    1. Disabling System Restore (Windows XP)
    If you are running Windows XP, we recommend that you temporarily turn off System Restore. Windows XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

    Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

    Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
     
    Thunder, Aug 31, 2003
    #2
  3. MrPewty

    MrPewty MajorGeek

    Thanks for the reply. I have been reading the site you posted, and apparently the virus removes itself if it sees the system clock read 2004. If I tell my Daughter to reset the clock to 2004 for a day or two, will that do the trick? (She may not be confident enough to attempt to follow the instructions at Symantec)
     
    MrPewty, Aug 31, 2003
    #3
  4. Thunder

    Thunder Private E-2

    I personally wouldn't risk it and it might cause more problems. Disabling System Restore is pretty easy.
     
    Thunder, Aug 31, 2003
    #4
  5. MrPewty

    MrPewty MajorGeek

    OK, thanks. I sent her the URL, and told her to read it and decide if she wants to go for it. (There may be someone else in her building who would attempt it)

    BTW, what happens if she just leaves it where it is?
     
    MrPewty, Aug 31, 2003
    #5
  6. iamien

    iamien Cptn "Eh!"

    The worm itself, is a white hat wormI It patches y up your system against the RPC attack it used to get into there,
    But as said it should be removed , cause no worm is a good one.
    If you leave it there. from what i read shouldn't matter, but try Symatecs removal tool
    also make sure too patch machien against RPC attacks
     
    iamien, Aug 31, 2003
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds