Nachi Computer Virus

Win32 / Nachi is a family of network worms that spread across network connections by exploiting one or more vulnerabilities in Windows. These worms can also spread using backdoors opened by other malicious software. The worm tries to download and apply security updates; some variants try to remove other malicious software that may be on the infected computer. Some variants replace Web pages stored on the computer with their own Web page. Also Known As Computer Associates: Win32.Nachi; McAfee: W32.Nachi.worm; Symantec: Win32 / HLLW.Welchia; Trend Micro: WORM_NACHI.

When this worm runs on a computer, it copies itself to a folder inside the
%SYSTEM% folder, and then installs itself as a service using various names. Some variants of the worm also copy a system utility called Tftpd.exe to the same folder.

The worm tries to download various security updates and apply them to the infected computer. The worm restarts the system after each update is downloaded and executed. Variants of the worm try to remove other malicious software that may be on the infected computer. This software includes Win32 / MSBlast, Win32 / Doomjuice, and variants of Win32 / Mydoom. Some variants replace Web pages on IIS servers with a Web page containing the heading "LET HISTORY TELL FUTURE!" and a list of dates and numbers.

The worm then scans for other systems over the network by sending ICMP Echo (ping) packets to TCP / IP addresses generated by the worm. If another system is at one of the generated addresses, the worm tries to exploit one or more of the vulnerabilities to transfer itself to the second system, which then runs the worm. Most variants of this family have a built in expiration date of January 1, 2004. After this date, at system startup the worm either exits or deletes itself.