nachi-e issue

Viruses and worms
1

Hello, avast is finding over and over w32nachi-e (that should have been destroyed itself since 1 jan 2004…) in

C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary
Internet Files\Content.IE5\MF1H5KZG\WksPatch[1].exe

C:\WINDOWS\system32\drivers\svchost.exe

It prompts me each time to delete the file on the next reboot, but the worm appears again and again when I connect to the net. I noticed that the temp folder above is where the firewall (sygate) placed some files of its own; so I disabled the firewall, to see whether the worm appeared just 'cause the firewall was disabled. But the worm appeared also when it was enabled! So, I guess there’s something in my pc which triggers the download of the worm from outside, or at least that regenerates it at every reboot, or every connection to the net, either I enable or disable the firewall, and which bafles the firewall too.
This is a very strange issue. If the worm is said to have destroyed itself since 5 months ago, it is a problem of avast, or what? I used also the standalone remover, but obviously it doesn’t find anything in the pc, if the infection is not detected or prompted from outside. I smell there’s something in the pc which triggers the download or rebirth of the virus. I don’t know whether it is triggered by a specific action or after a certain amount of time since I’m conected; I only noticed that often has happened that when I click a link, either in a page or in a enbedded link placed within a mail or usenet’s post, avast triggers the alert.
Sincerely, this is one of most strange issues I ever stumbled upon. Can you please help me? The helpdesk wasn’t able to give me any satisfying answers.

2
If the worm is said to have destroyed itself since 5 months ago, it is a problem of avast, or what?
Check your system clock.
. I noticed that the temp folder above is where the firewall (sygate) placed some files of its own
Some firewalls like BlackICE and its corporate version RealSecure log suspect packets in its log file. but this obviouly is not a firewall log file so im baffled as well
3

Hi,

  • read the descriptions on nachi on avast’s home page and on VGREP below in my sig
  • apply all WindowsUpdates
  • change all your passwords so that they are more secure
  • configure your firewall correctly (at least block inbound 135, 139, 445, 4500)

:wink:

4
5

What passwords? The os’s login? If it is that, I do not have any passwords setted.
All updates was already applied before the cleaning. I’m applying again Sygate, and so far no infection has been triggered. But I guess this is only a temporary ditching, in the case there’s a spore resident in my pc, waiting for the disabling of Sygate in order to trigger the next alarm.

6

@1) yes

@2) Then DO set them !!
→ Worms often use weak/blank/non-existing passwords to enter your system

Please read all links here, to understand how NACHI-Worm works:
INFO

7

Ok, done. Ty. It seems that nachi doesn’t appear again.