Skip to main content
Skip to main content
Microsoft Security Intelligence
Cart 0 items in shopping cart
Sign in
Published Jul 21, 2004 | Updated Sep 15, 2017

Worm:Win32/Nachi.A

Detected by Microsoft Defender Antivirus

Aliases: W32.Welchia.Worm (Symantec) WORM_NACHI.A (Trend Micro) W32/Nachi.worm (McAfee) Win32.Nachi.A (CA)

Summary

Win32/HLLW.Nachi.A is a network worm that targets Microsoft Windows 2000 and Windows XP. It propagates by exploiting several known vulnerabilities. It tries to download and apply security updates if it detects the operating system is a certain language version. It also tries to remove the MSBlast worm if it is on the infected system.
To manually recover from infection by Win32/Nachi.A, perform the following steps:
  • Disconnect from the Internet
  • Disable the worm services
  • Delete the worm files from the computer
  • Delete the worm registry entry
  • Take steps to prevent re-infection

Disconnect from the Internet

To help ensure that your computer is not actively infecting other computers, you should disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.

Disable the worm services

To disable the worm services
  1. On the Start menu, click Control Panel.
  2. Click Administrative Tools and double-click Services.
  3. Right-click the WINS Client service.
  4. If the service is running, click Stop. 
  5. Right-click the service again and click Properties.
  6. Under Startup Type, change the type to Disabled.
  7. Repeat steps 3-6 for the Network Connections Sharing service.

Delete the worm files from the computer

After you end the worm process, you should delete the worm code from your computer.
To delete the worm files from the hard disk
  1. Click Start, and click Run.
  2. In the Open field, type <system folder>\wins
  3. Click OK.
  4. Click Name to sort files by name.
  5. If dllhost.exe is in the list, delete it.
  6. Repeat step 5 for svchost.exe, if found.
  7. On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
  8. Click Yes.
This removes the worm code from your computer.
If deleting files fails, use the following steps to verify that the WINS Client service and the Network Connections Sharing service are not running:
  1. On the Start menu, click Control Panel.
  2. Click Administrative Tools and double-click Services.
  3. Confirm that the WINS Client service and the Network Connections Sharing service are disabled.

Delete the worm registry entry

To delete the worm registry entry
  1. On the Start menu, click Run.
  2. Type regedit and click OK.
  3. In the left pane, navigate to the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcPatch.
  4. Right-click the key, click Delete, and click Yes to delete the key.
  5. Repeat steps 3-4 for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcTftpd.
  6. Close the Registry Editor.

Take steps to prevent re-infection

You should not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.
Follow us