So, I ran into this scenario today. A sister company of mine had a Blaster outbreak today.
Technically, they had a Nachi outbreak (the “good” Blaster variant).
3 machines that either did not have antivirus software loaded, or the antivirus software was not working properly, were infected with Nachi. They spread it throughout the ClassB address space in this sister company, and their other clients that DID have working antivirus software reported this.
As did the overwhelmed firewall, but that is another story!….
Anyway, here is where things get interesting. The antivirus-protected clients (all unpatched for the RPC/DCOM vulnerability!) reported that a virus called W32.Valla.2048 was trying to infect them.
W32.Valla.2048??? What virus is this? Well, according to Symantec, this is an older, low damage virus that just appends itself to EXE files. It also is NOT network aware or network spreadable. It scans for EXE files on the local drive on a machine it is on, and appends itself to all EXE files.
That is it. No transmittal method over a network!
So, how was this virus spreading around the sister company’s LAN?
The Blaster/Nachi virus!
W32.Valla.2048 was already running on one of the 3 machines that were spreading Nachi. I found in the Event Viewer logs, once the offending machine was taken offline and a full antivirus scan was performed, that the files DLLHOST.EXE & SVCHOST.EXE in the C:\WINNT\SYSTEM32\WINS directory were infected with W32.Valla.2048.
So, here is how it worked. This machine already was infected with W32.Valla.2048. Then it was infected with Nachi.
Then Nachi started to spread throughout the LAN of this sister company. Antivirus software running on other computers in the LAN picked up W32.Valla.2048 in the Nachi executible as it came over via TFTP.
Therefore, a non-network spreadable virus was MADE network spreadable by Nachi.
Just something else to keep in mind with this thing!