New virus

[Brian A.]

The new worm virus.
From Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

"W32.Welchia.Worm
Discovered on: August 18, 2003
Last Updated on: August 19, 2003 08:52:29 AM

Due to an increase in submissions, Symantec Security Response has upgraded
W32.Welchia.Worm to Category 4, as of 6:00pm Monday, August 18, 2003.

W32.Welchia.Worm is a worm that exploits multiple vulnerabilities:


exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin
MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using
this exploit.

exploits the WebDav vulnerability (described in Microsoft Security Bulletin MS03-007)
using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0
using this exploit.

The worm attempts to download the DCOM RPC patch from Microsoft's Windows Update Web
site, install it, and then reboot the computer.

The worm checks for active machines to infect by sending an ICMP echo request, or
PING, which will result in increased ICMP traffic.

The worm will also attempt to remove W32.Blaster.Worm.

Symantec Security Response has developed a removal tool to clean the infections of
W32.Welchia.Worm.



--


Brian A.

Jack of all trades, Master of none. One can never truly be a master as there is
always more to learn.

 

[Hugh Candlin]

Symantec Security Response has developed a removal tool to clean the infections of
W32.Welchia.Worm.

It has come to this.

Security experts running around
developing virus removal tools
to remove virus removal tools.

Ah, at last. The pathos of catastrophe.

 

[H Leboeuf]

My Zone Alarm blocked many ICMP requests yesterday.

I searched google this morning and found the same answer.