S
Surfdog
For the general information of the group, the following information was
received from Symantec.
*********************************************************************
****************** SYMANTEC SECURITY ALERT **************************
*************** Alert! W32.Welchia.B.Worm
*************************
*********************************************************************
WARNING: W32.Welchia.B.Worm
Threat level: Category 3, Moderate (scale of 1-5)
Type: Worm
Protection Updates: February 11, 2004 or later (via LiveUpdate)
*********************************************************************
What is W32.Welchia.B.Worm and how does it affect me?
*********************************************************************
As of February 13, 2003, due to an increased rate of submissions,
Symantec Security Response has upgraded this threat to a Category 3
from a Category 2.
W32.Welchia.B.Worm is a variant of W32.Welchia.Worm. If the version
of the operating system of the infected machine is Chinese, Korean,
or English, the worm will attempt to download the Microsoft Workstation
Service Buffer Overrun and Microsoft Messenger Service Buffer Overrun
patches from the Microsoft® Windows Update Web site, install it, and
then restart the computer.
W32.Welchia.B.Worm propagates by exploiting the:
· Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability
(BID 8205)
· Microsoft Windows ntdll.dll Buffer Overflow Vulnerability (BID 7116)
· Microsoft Windows Workstation Service Remote Buffer Overflow
Vulnerability (BID 9011)
The worm also attempts to remove the W32.Mydoom.A@mm and
W32.Mydoom.B@mm
worms.
Note: Virus definitions dated February 11, 2004 revision 23
(20040211.023 or Defs Version 60211w) or later will detect this threat.
+---------------------------------------------------------------------+
For more technical information, refer to the W32.Welchia.B.Worm writeup
at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.b.w
orm.html
+---------------------------------------------------------------------+
**********************************************************************
WHAT ACTION CAN I TAKE FROM HERE?
**********************************************************************
** Run LiveUpdate **
Symantec Security Response posted virus definitions to protect
against this threat on February 11, 2004 (via LiveUpdate). All users
of Norton AntiVirus who do not have up-to-date virus protection
should immediately run LiveUpdate for protection from
W32.Welchia.B.Worm.
Virus definitions are available via the LiveUpdate feature in the
Norton AntiVirus product or the Symantec Security Response Web site:
http://securityresponse.symantec.com/avcenter/defs.download.html
Symantec Security Response encourages all Norton
AntiVirus users to regularly download virus
definitions in order to protect against future
threats. For more information on how to run
LiveUpdate, please go here:
http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/1999121613
163206
** Upgrade Customers **
If you have an older version of Norton AntiVirus
and would like to upgrade to Norton AntiVirus 2004,
please go here:
http://nct.symantecstore.com/0001/upgrade_center.html
** New Customers **
TO purchase Norton AntiVirus (TM) 2004, please go here:
http://www.symantecstore.com/51410/nav
***********************************************************************
Sincerely,
Symantec Security Response Team
Symantec Corporation
****************** Scan for Viruses. Free! ********************
Free Service. Check your system online using Symantec's award-
winning virus detection technology to determine if it is
infected by any known virus or Trojan horse.
Click Here -> http://www.symantec.com/securitycheck
*********** Subscribe to Symantec Security Alert ***************
Subscribe to the Symantec Security Alert to find out about the
latest worms, viruses and Trojans. Click here to subscribe:
http://nct.symantecstore.com/virusalert
******************************************************************
Copyright (c) 1995-2004 Symantec Corporation. All rights reserved.
Other brands and products are trademarks of their
respective holder(s).
Symantec Corporation
20330 Stevens Creek Boulevard
Cupertino, CA 95014
received from Symantec.
*********************************************************************
****************** SYMANTEC SECURITY ALERT **************************
*************** Alert! W32.Welchia.B.Worm
*************************
*********************************************************************
WARNING: W32.Welchia.B.Worm
Threat level: Category 3, Moderate (scale of 1-5)
Type: Worm
Protection Updates: February 11, 2004 or later (via LiveUpdate)
*********************************************************************
What is W32.Welchia.B.Worm and how does it affect me?
*********************************************************************
As of February 13, 2003, due to an increased rate of submissions,
Symantec Security Response has upgraded this threat to a Category 3
from a Category 2.
W32.Welchia.B.Worm is a variant of W32.Welchia.Worm. If the version
of the operating system of the infected machine is Chinese, Korean,
or English, the worm will attempt to download the Microsoft Workstation
Service Buffer Overrun and Microsoft Messenger Service Buffer Overrun
patches from the Microsoft® Windows Update Web site, install it, and
then restart the computer.
W32.Welchia.B.Worm propagates by exploiting the:
· Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability
(BID 8205)
· Microsoft Windows ntdll.dll Buffer Overflow Vulnerability (BID 7116)
· Microsoft Windows Workstation Service Remote Buffer Overflow
Vulnerability (BID 9011)
The worm also attempts to remove the W32.Mydoom.A@mm and
W32.Mydoom.B@mm
worms.
Note: Virus definitions dated February 11, 2004 revision 23
(20040211.023 or Defs Version 60211w) or later will detect this threat.
+---------------------------------------------------------------------+
For more technical information, refer to the W32.Welchia.B.Worm writeup
at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.b.w
orm.html
+---------------------------------------------------------------------+
**********************************************************************
WHAT ACTION CAN I TAKE FROM HERE?
**********************************************************************
** Run LiveUpdate **
Symantec Security Response posted virus definitions to protect
against this threat on February 11, 2004 (via LiveUpdate). All users
of Norton AntiVirus who do not have up-to-date virus protection
should immediately run LiveUpdate for protection from
W32.Welchia.B.Worm.
Virus definitions are available via the LiveUpdate feature in the
Norton AntiVirus product or the Symantec Security Response Web site:
http://securityresponse.symantec.com/avcenter/defs.download.html
Symantec Security Response encourages all Norton
AntiVirus users to regularly download virus
definitions in order to protect against future
threats. For more information on how to run
LiveUpdate, please go here:
http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/1999121613
163206
** Upgrade Customers **
If you have an older version of Norton AntiVirus
and would like to upgrade to Norton AntiVirus 2004,
please go here:
http://nct.symantecstore.com/0001/upgrade_center.html
** New Customers **
TO purchase Norton AntiVirus (TM) 2004, please go here:
http://www.symantecstore.com/51410/nav
***********************************************************************
Sincerely,
Symantec Security Response Team
Symantec Corporation
****************** Scan for Viruses. Free! ********************
Free Service. Check your system online using Symantec's award-
winning virus detection technology to determine if it is
infected by any known virus or Trojan horse.
Click Here -> http://www.symantec.com/securitycheck
*********** Subscribe to Symantec Security Alert ***************
Subscribe to the Symantec Security Alert to find out about the
latest worms, viruses and Trojans. Click here to subscribe:
http://nct.symantecstore.com/virusalert
******************************************************************
Copyright (c) 1995-2004 Symantec Corporation. All rights reserved.
Other brands and products are trademarks of their
respective holder(s).
Symantec Corporation
20330 Stevens Creek Boulevard
Cupertino, CA 95014
