Typically used as a network debugging tool, but currently most of the ICMP
pings are a modified Nachi/Welchia ping meant to find computers that are online before
scanning them further for vulnerabilities suitable for infection with the Nachi/Welchia
Nachi/Welchia is designed such that it should uninstall itself from
infected systems during startup in 2004 so scan rates are falling off. For
example we have seen a decrease of about 60% since the new year.
However Sasser.D uses ICMP Pings to locate systems online to attempt to
infected, so in May 2004 we see an increase in ICMP ping traffic due to Sasser.D.
Typically you will see Nachi scans from systems which have similar IP
addresses to yours as Nachi/Welchia uses a localized scanning algorithm.
You could also see TCP port 135, 445, and 80 scans from these systems as Nachi/Welchia
uses a couple of different exploits to infect other systems.
Outbound scans if occurring in volume should be considered an indication of a
possible Nachi/Welchia/Sasser.D infection on the source computer and should be investigated.
the new champion bad boy
- What You Should Know About the Nachi Worm
F-Secure Sasser.D Writeup
Nachi/Welchia has a built in time out date such that it will
stop and uninstall itself if it is started after Midnight Dec 31, 2003. So
Nachi/Welchia pings have been significantly reduced, but are still occurring as
some systems have not been restarted since the start of the new year.
Link Logger graph showing the continued decline
of Nachi/Welchia and the emergence of Sasser.D in early May.
Page last updated on
May 10, 2004