Welchia is an RPC exploiter, so there's a crucial bit of info missing
in this advice. Due to the nature of the RPC defect, you MUST fix the
broken code or at least turn on a firewall, else you WILL be
re-infected as soon as you connect to any infected TCP/IP network (and
the Internet is the mother of all infected TCP/IP networks).
Remote Procedure Call is a service that runs underfoot in NT
(including Win2000 and XP). It waves its ass to the Internet and you
can't turn it off, because the same service is needed to do local OS
stuff as well. Dumb design? I'd say so, but we are stuck with it.
The chronology:
- defect present at least as far back as the original NT 4.0
- defect persists through all NT 4 and Win2000 SPs to XP
- July 2003: First documented and patched by MS
- August 2003: Multiple malware attack via the defect
- September 2003: New defects found in patch; new patch
- April 2004: More defects in same subsystem, new patch again
The RPC defect is exploited by crafting RPC request packets that are
broken in such a way that they inject raw code into the system, which
the OS then runs. The "shape" of the packet differs for Win2000 vs.
XP. so packets crafted for XP will crash the RPC service on Win2000,
and vice versa. When this happens, the duhfault MS setting for RPC
service "recovery" is to restart the whole system; it's a good idea to
set that to "restart the service" instead.
An antivirus can only catch the malware once it has successfully
entered the system. It can do nothing to stop the DoS effect of
mis-matched packets crashing the RPC service and restarting the PC.
The definitive fix for that is to patch the defect, but meantime you
can screen out attacks by using a firewall, such as the one built into
XP. Don't connect to the 'net until you've done at least that.
-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
