Campus Identifies ?Nachi? (aka ?Welchia?) Internet Worm

A new Internet worm is moving through the campus network. This worm generates a high volume of ICMP traffic as it attempts to spread.

The new ?Nachi? or ?Welchia? worm seeks Windows 2000 and XP computers lacking the RPC DCOM patch (MS03-026). Symantec reports the worm will also spread through an unpatched WebDav vulnerability (see MS03-007) via IIS5 web servers. The worm will attempt to remove the WS32.Lovsan worm (aka MSBlaster worm) and apply the MS03-026 patch afterwards. The worm reportedly will delete itself when the date reaches January 1, 2004.

Symptoms of an infection by this new worm include a random reboot and the installation of a TFTP server on the infected computer.

Major anti-virus vendors have updated virus files to identify and prevent infections from this new worm. We are attempting to identify campus computers generating high ICMP traffic levels so that system administrators may examine the computers and remove any infection by this new worm.