dos said:
According to posts on Bugtraq, two people have confirmed the existance of a
new variant of Nachi/Welchia/LovSan.
"confirmed" -- no.
Does anyone have any further information on this? I can't find anything on
the "big name" anti-virus vendors websites.
You have seen two marginally informed folks fairly ignorantly repeating _out
of context_ what they half understood from a stupid (or "ill-informed") IDS
report. Nachi sends out an initial "ping" probe to check if an IP exists
before trying to send a copy of itself via the DCOM RPC expolit. Many IDSes
report packets matching the pattern of such probes as _being_ Nachi which is
as wrong/stupid/misleading (at least to those who do not understand how
IDSes work) as a firewall saying that an attempt to connect to port 27347
(say) is a SubSeven intrusion.
I _suspect_ that what is being _misreported_ as a new Nachi variant is some
new malware that uses the same "ping probe" mechanism as Nachi did for some
(probably devious) reason. However, whatever this thing is, if it is
spreading at all (and so far there are no captured samples, no evidence of
compromised machines -- nothing "concrete" to base such a claim on) it is
doing so at a _much_ more pedestrian rate than any previous, modestly
successful worm...
I _know_ there is no major new worm out there as these rumours started at
least 48 hours ago now and if there was a major worm (such as Nachi) out
there we would really have known about it many, many hours ago (at least 47
based on our current knowledge of what seems to have happened here).
(For those who do not know/remember, Nachi and Welchia are different names
used for the same virus, and one vendor named that virus MSBLAST.D. MSBlast
was the name some vendors used for the virus that others called Blaster or
LovSan or Poza. Nachi also exploited the same security vulnerability as
MSBlast/Blaster/LovSan/Poza. Given all this, it is easy to see how "LovSan"
could be dragged into a rumour about a new Nachi/Welchia variant...)
