W32.Welchia.Worm

[saurabh]

Hello everybody!

I am having windows 2000 prof...my system is still
affected by W32.Welchia.Worm. i have symantec
antivirus...it detects...the virus...i have download the
tool from the www.symantec.com website... run the tool..it
detects and deletes too...but again after few hours same
virus is affected...i have also installed service pack 4.
but still having the same probe. due to that i m not able
to connect any dialup connections...i need to restart the
pc...and if dialup connection is ON ... after the virus
attack...i m not able to dis-connect it.. so the solution
for me is to re-start the pc...please tell me the
solution.

i am connected to the 50 pc network...and the problem is
for everybody having win2k prof system...our server is
windows 2000...and sometimes the virus also affects our
server....

i will be very greatfull for the solution.

regds
Saurabh.

 

[Alan]

Hello everybody!

I am having windows 2000 prof...my system is still
affected by W32.Welchia.Worm. i have symantec
antivirus...it detects...the virus...i have download the
tool from the www.symantec.com website... run the tool..it
detects and deletes too...but again after few hours same
virus is affected...i have also installed service pack 4.
but still having the same probe. due to that i m not able
to connect any dialup connections...i need to restart the
pc...and if dialup connection is ON ... after the virus
attack...i m not able to dis-connect it.. so the solution
for me is to re-start the pc...please tell me the
solution.

i am connected to the 50 pc network...and the problem is
for everybody having win2k prof system...our server is
windows 2000...and sometimes the virus also affects our
server....

i will be very greatfull for the solution.

im not very skilled with windows200 or viruses but all i can suggest is to
isolate all the machines run virus scanners on tham all to make sure there
clean then turn on your network again...
thats how my school got over a blaster attack anyway

alan

 

[Angus Lepper]

You sound as if you have a serious problem there. Have you got Windows XP
anywhere on your network? I run a 2000/XP Peer-To-Peer network (Until I get
the hulk of a server fixed and home). XP seems to hoard viruses. If XP gets
a virus, then that virus sometimes infects the System Restore point data and
springs back from there.

Also, if you are restoring from backups, scan your backups. It's quite
possible that it has infected a backup, then you restore the backup and get
the virus back.

I would also like to tell you that the worm you are infected by is Nachi-A.
Going by the following names:

W32/Nachi.worm, WORM_MSBLAST.D, Lovsan.D, W32.Welchia.Worm, Welchi

A full rundown is available at:
http://www.sophos.com/virusinfo/analyses/w32nachia.html

Here is a 'need-to-know' summary.

It spreads using the RPC DCOM vulnerability, similar to Blaster-A. A patch
is available for this hole at:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.

It also attempts buffer overflows in ntdll.dll to gain access.

A patch for this hole is available at
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp. However,
both of these should I believe have been included in SP4.

It uses two files, dllhost.exe and svchost.exe. Dllhost.exe is the worm
itself and svchost.exe is a TFTP server that the worm uses to transfer
itself. I have been infected by this worm while our firewall was being
repaired. However, Sophos kept it at bay. You may be interested to know that
after we had reinstalled the hardware firewall it recorded 15000 hits in 1
hour of Nachi trying to gain access to our network. As tempting as it is to
edit the code for the exes so that it trashes the attacking machine it
probably isn't a good idea.

Also, check C:/WINNT/System32/Wins for dllhost.exe. If it is there then you
have been infected.

The worm scans the network for computers that are open to the exploit. It
then uses TFTP to transfer itself to it and restart the search.

For a start, I doubt you will require TFTP so close those ports internally
and externally.

Keep a watch and delete it as soon as possible. Disconnect computers from
the network and scan them, then delete the virus. Once you have all
computers free reconnect the computers to the network.

the virus contains the follwing text which is not displayed:

=========== I love my wife & baby ~~~ Welcome Chian~~~ Notice: 2004 will
remove myself~~ sorry zhongli~~~=========== wins



If you do not have a firewall, download the free version of ZoneAlarm,
install it to those computers, then buy a hardware firewall and install it.



After 1 January 2004 the virus will remove itself.



To remove, save http://www.sophos.com/support/cleaners/nachigui.com to
floppy and run it on all computers to disinfect.



I have provided you with several methods of removal. I hope these help.

Angus Lepper,
Integrated Systems Developer,
Training for MCSE.

 

[Ian]

Ok Alan,
The microsoft patch isnt very good, but there is a better
patch on NTL's site that works brilliantly, but there are
also varients out there that work similiar to the welch
virus. It is also better to disconnect from the network
and put the patches on first, then reboot each time for
the patches (there are 3). If you like I can e-mail you
the patches I have from the site, there are 3 weeks old
and Ive never had any problems with them. I also have
detialed instructions

Ian

 

[Wouter]

Hello everybody!

I am having windows 2000 prof...my system is still
affected by W32.Welchia.Worm. i have symantec
antivirus...it detects...the virus...i have download the
tool from the www.symantec.com website... run the tool..it
detects and deletes too...but again after few hours same
virus is affected...i have also installed service pack 4.
but still having the same probe. due to that i m not able
to connect any dialup connections...i need to restart the
pc...and if dialup connection is ON ... after the virus
attack...i m not able to dis-connect it.. so the solution
for me is to re-start the pc...please tell me the
solution.

i am connected to the 50 pc network...and the problem is
for everybody having win2k prof system...our server is
windows 2000...and sometimes the virus also affects our
server....

i will be very greatfull for the solution.

regds
Saurabh.

SP4 Does not protect the PC against Blaster or similar worms.
1-Disconnect the infected PC from the network
2-Remove the virus e.g. with Stinger:
http://vil.nai.com/vil/stinger/
3-Scan the PC for Adware and spyware e.g. with Ad-aware:
http://www.lsfileserv.com/
3-Install a firewall on the PC e.g. ZoneAlarm:
http://www.zonelabs.com/
4-Connect the PC to the network again
5-Run Windows Update and at least install ALL Security Hotfixes:
http://windowsupdate.microsoft.com/

 

[Enkidu]

W32/Nachi.worm, WORM_MSBLAST.D, Lovsan.D, W32.Welchia.Worm, Welchi

A full rundown is available at:
http://www.sophos.com/virusinfo/analyses/w32nachia.html

Here is a 'need-to-know' summary.

It spreads using the RPC DCOM vulnerability, similar to Blaster-A. A patch
is available for this hole at:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.

It also attempts buffer overflows in ntdll.dll to gain access.

A patch for this hole is available at
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp. However,
both of these should I believe have been included in SP4.

The Blaster/Welchia patch is not in SP4. You need to apply it
afterwards.

Cheers,

Cliff

 

[Saurabh]

Thanx a lot to everybody who has tried to help their best.

I will try watever u all have been told me to do.

Will dis-connect from the network..will run patches...and
then full system scan...and then re-connect it to the
network.

But one thing i didnt understand is about hardware
firewall...i have been using Norton personal firewall...is
that the same thing like Zone alarm...or is it different.
Though my Norton personal firewall was active but then too
that worm has infected our PC...so does any other
firewalls secures from such worms.? Plz do tell me about
some free download hardware firewalls...i will be glad if
u give me reply to my (e-mail address removed).

Thanx al once again.
regds
Saurabh.

 

[Saurabh]

Hello IAN,

Plz do send me all the patches in my mail... (e-mail address removed)

thanx a lot,

Saurabh.

 

[Angus Lepper]

Sorry, you can't download a HARDWARE firewall. Hardware means that it is a
solid object that you can see. You have to buy them. For example, a
motherboard is a piece of hardware.

Angus

 

[John Thow]

Thanx a lot to everybody who has tried to help their best.

I will try watever u all have been told me to do.

Will dis-connect from the network..will run patches...and
then full system scan...and then re-connect it to the
network.

But one thing i didnt understand is about hardware
firewall...i have been using Norton personal firewall...is
that the same thing like Zone alarm...or is it different.
Though my Norton personal firewall was active but then too
that worm has infected our PC...so does any other
firewalls secures from such worms.? Plz do tell me about
some free download hardware firewalls...i will be glad if
u give me reply to my (e-mail address removed).

Thanx al once again.
regds
Saurabh

As someone else has said, a hardware firewall is something you have to
physically attach to your system: It's not something you can download....

If you have the Norton Personal Firewall(NPF) you need to keep it up to date.
You also need a virus scanner - also requiring regular updating. The firewall
will block the more obvious attempts at hacking into your system but will not
necessarily prevent attacks by other means - such as malicious attachments to
e-mails that you unwisely open. As you have NPF, I'd suggest you also get
Norton Anti-Virus (NAV) - if you don't already have it - and run LiveUpdate
_at least_ once a week. That'll keep both the firewall and the anti-virus s/w
up to date and should circumvent future attacks. You should also run windoze
update regularly and install any 'critical' updates. Holes in windoze that
hackers / virus writers exploit are regularly identified to Micro$oft and they
provide patches to their supported operating systems to minimise the problem -
but you do have to keep checking.

--
John Thow
an optimist is a guy/ that has never had/ much experience -
certain maxims of archie; Don Marquis.

To e-mail me, replace the DOTs in the Reply-To: address with dots!