New Nachi/Welchia/LovSan variant?

According to posts on Bugtraq, two people have confirmed the existance of a
new variant of Nachi/Welchia/LovSan.

Does anyone have any further information on this? I can't find anything on
the "big name" anti-virus vendors websites.

"dos" <dos@nospamyougits.co.uk> wrote:

> According to posts on Bugtraq, two people have confirmed the existance of a
> new variant of Nachi/Welchia/LovSan.

"confirmed" -- no.

> Does anyone have any further information on this? I can't find anything on
> the "big name" anti-virus vendors websites.

You have seen two marginally informed folks fairly ignorantly repeating _out
of context_ what they half understood from a stupid (or "ill-informed") IDS
report. Nachi sends out an initial "ping" probe to check if an IP exists
before trying to send a copy of itself via the DCOM RPC expolit. Many IDSes
report packets matching the pattern of such probes as _being_ Nachi which is
as wrong/stupid/misleading (at least to those who do not understand how
IDSes work) as a firewall saying that an attempt to connect to port 27347
(say) is a SubSeven intrusion.

I _suspect_ that what is being _misreported_ as a new Nachi variant is some
new malware that uses the same "ping probe" mechanism as Nachi did for some
(probably devious) reason. However, whatever this thing is, if it is
spreading at all (and so far there are no captured samples, no evidence of
compromised machines -- nothing "concrete" to base such a claim on) it is
doing so at a _much_ more pedestrian rate than any previous, modestly
successful worm...

I _know_ there is no major new worm out there as these rumours started at
least 48 hours ago now and if there was a major worm (such as Nachi) out
there we would really have known about it many, many hours ago (at least 47
based on our current knowledge of what seems to have happened here).

(For those who do not know/remember, Nachi and Welchia are different names
used for the same virus, and one vendor named that virus MSBLAST.D. MSBlast
was the name some vendors used for the virus that others called Blaster or
LovSan or Poza. Nachi also exploited the same security vulnerability as
MSBlast/Blaster/LovSan/Poza. Given all this, it is easy to see how "LovSan"
could be dragged into a rumour about a new Nachi/Welchia variant...)


--
Nick FitzGerald

2 weks ago Advert said a sample I sent was the Nachi but the sample was not
picked up by 2 dat file updates that were definately recommended to find and
kill it. They gave me an extra dat file and said it would be added to their
standard dats. The funny thing is I was fully MS updated and running latest
VS8 dats (mcafee).



The virus if it was that infected exactly the same as the nachi re renaming
files etc.



There was nothing posted on the web site re ir

below email from advert.



Identified: W32/Nachi.worm

AVERT(tm) Labs, Hong Kong

Thank you for submitting your suspicious file.

Synopsis -

Attached is a file for extra detection, which will be included in a
future DAT set.

Hi
I loaded the new Mcafee update and it told me I had it.
Russ


"dos" <dos@nospamyougits.co.uk> wrote in message
news:bnpodu$m9$1@sparta.btinternet.com...
> According to posts on Bugtraq, two people have confirmed the existance of
a
> new variant of Nachi/Welchia/LovSan.
>
> Does anyone have any further information on this? I can't find anything on
> the "big name" anti-virus vendors websites.
>
>