W32.Welchia.B.worm

[sjb]

Hi all,

I'm at my wits end on this one...does anyone know how the above virus is
transmitted? And how to prevent it from coming back?

I have a client whose machine I have cleaned of this virus...but it keeps on
coming back. She has XP, using IE6. I have run updates (16 of them including
SP1). Symantec states that the way it gets in is through a port opening, so
I figured that running the updates would take care of that. It shows up with
Norton detecting it in the windows\system32\....IE\temp folder, but it
cannot clean or quarantine it~ (access denied)! I find many occurances of
the wkspatch.exe (which is the virus itself) and manually remove them, also
the svchost.exe payload (for lack of a better term) and delete them~! I have
run the removal tool supplied by Symantec of which it finds the virus also
and removes it. I can run a complete system scan and come up with NOTHING,
yet later that afternoon, or the next day, she will have the virus again!

Note: her pattern of the virus showing up seems to be when she is on the New
York Times web site...hence my suspicions that it is coming in via the web.

Any input someone can supply would be GREATLY appreciated!

Sincerely,

Scott

 

[Wrangler]

I'm at my wits end on this one...does anyone know how the above virus is
transmitted? And how to prevent it from coming back?

I can run a complete system scan and come up with NOTHING,
yet later that afternoon, or the next day, she will have the virus again!

The more common name for Welchia is Nachi... and that has got a lot of
information written on it...

You need to have made sure you have applied the following patches otherwise,
it will indeed keep making more comebacks than the rollingstones...

MS03-007 (WebDav vulnerability)
MS03-026 / MS03-039 (DCOM vulnerabilities)
MS03-049 (Wkstation service).

You should find these on the WindowsUpdate Website (Tools/Windows Update
from Internet Explorer), otherwise, use the Security Bulletin site for
locations to download the files.

http://www.microsoft.com/security/security_bulletins/

You may also like to consider a desktop firewall, or at the very least,
enabling the ICF (Internet Connection Firewall) through the advanced tab on
the networking properties.

The McAfee Stinger will remove Nachi too...

http://download.nai.com/products/mcafee-avert/stinger.exe

..\/.artin

 

[sjb]

.\/.artin

Thanks for the info...at least I have somewhere else to look~!

Scott

 

[Wrangler]

Thanks for the info...at least I have somewhere else to look~!

This is the information source I use(d):

http://vil.nai.com/vil/content/v_101013.htm

....another place to look

..\/.artin