In this section

• Home
• Support
• Virus disinfection

Online support

• Knowledgebase
• Virus disinfection

Product maintenance

• Downloads and updates
• Documentation
• Software lifecycle

Contact support

• Talk to an expert
• Send a sample
• Email us

Support services

• Overview
• Technical Support
• Professional Services
• Technical Training

W32/Nachi disinfection instructions

The W32/Nachi variants W32/Nachi-A and W32/Nachi-B are worms that spread using the RPC DCOM vulnerability in a similar fashion to the W32/Blaster-A worm.

Both rely upon two vulnerabilities in Microsoft's software. Sophos recommends that users ensure their computers are patched against these vulnerabilities. The two patches have been available from Microsoft since March and July 2003 respectively. For more information on the vulnerabilities and to download the patches please visit Microsoft's website at the following URLs:

www.microsoft.com/technet/security/bulletin/MS03-039.mspx
www.microsoft.com/technet/security/bulletin/MS03-007.mspx

Putting these patches in place will help avoid reinfection. Single users are advised to scan for critical security vulnerabilities via Microsoft's website at windowsupdate.microsoft.com.

Resolve disinfection tool

Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.

Windows 95/98/Me and Windows NT/2000/XP/2003

W32/Nachi can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the following Resolve tools.

Note: When disinfecting variants not listed above, use the recovery instructions in the appropriate virus analysis.

Windows disinfector

NACHIGUI is a disinfector for standalone Windows computers

• open NACHIGUI
• run it
• then click GO.

If you are disinfecting several computers, download it, save it to floppy disk and run it from there.

After removing the worm you should install the Microsoft patches MS03-039 and MS03-007or update with all relevant security patches from Windows update.

Command line disinfector

NACHISFX.EXE is a self-extracting archive containing NACHICLI, a Resolve command line disinfector for use on Windows networks. Read the notes enclosed in the self-extractor for details on running this program.

After removing the worm you should install the Microsoft patches MS03-039 and MS03-007or update with all relevant security patches from Windows update.

Other platforms

To remove W32/Nachi on other platforms please follow the instructions for removing worms.

Read the notes enclosed in the self-extractor for more details on running Resolve.