View Full Version : *** NEW WORM ***
Antnee
December 5th 03, 12:48 PM
Theres a new worm going around called Welchia, or Blaster-
D
It attempts to repair Blaster infections but can cause
more probs
http://www.visualante.org/news/19-aug-2003/worm.htm
Mike Brannigan [MSFT]
December 5th 03, 12:48 PM
Yes - we posted this yesterday
see
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/nachi.asp
(copied below)
PSS Security Response Team Alert - New Worm: Nachi, Blaster-D, Welchia
SEVERITY: CRITICAL
DATE: August 18, 2003
PRODUCTS AFFECTED: Windows 2000 and XP, Internet Information Services
5.0
************************************************** ********************
WHAT IS IT?
A new worm is spreading in the wild. The Microsoft Product Support
Services Security Team is issuing this alert to advise customers to be on
the alert for this virus as it spreads in the wild. Customers are advised to
review the information and take the appropriate action for their
environments.
IMPACT OF ATTACK:
Network Propagation, Patch Installation
TECHNICAL DETAILS:
Similar to the earlier Blaster worm and its variants, this worm also
exploits the vulnerability patched by Microsoft Security Bulletin MS03-026,
and instructs target systems to download its copy from the affected system
using the TFTP program.
In addition to exploiting the RPC vulnerability patched by Microsoft
Security Bulletin MS03-026 this worm also uses a previously patched
vulnerability in Microsoft Security Bulletin MS03-007 directed at IIS 5.0
over port 80 to propagate to un-patched systems.
In addition upon successful infection this worm also patches systems
with the patch for Microsoft Security Bulletin MS03-026. It does this by
first determining the operating system and then downloading the associated
patch for that operating system.
For additional details on this worm from anti-virus software vendors
participating in the Microsoft Virus Information Alliance (VIA) please visit
the following links:
Network Associates:
http://vil.nai.com/vil/content/v_100559.htm
Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.D
Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
For more information on Microsoft's Virus Information Alliance please
visit this link: http://www.microsoft.com/technet/security/virus/via.asp
Please contact your Antivirus Vendor for additional details on this
virus.
PREVENTION:
Turn on Internet Connection Firewall (Windows XP or Windows Server
2003) or use a third party firewall to block incoming TCP ports 80, 135,
139, 445 and 593; UDP ports 135, 137, 38.
To enable the Internet Connection Firewall in Windows XP please see
the instructions below or visit this KnowledgeBase Article:
http://support.microsoft.com/?id=283673
1. In Control Panel, double-click Networking and Internet Connections,
and then click Network Connections.
2. Right-click the connection on which you would like to enable ICF,
and then click Properties.
3. On the Advanced tab, click the box to select the option to Protect
my computer or network.
This worm utilizes two previously-announced vulnerabilities as part of
its infection method. Because of this, customers must ensure that their
computers are patched for the vulnerabilities that are identified in the
following Microsoft Security Bulletins.
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
In order to assist customers with the installation of the patch for
Microsoft Security Bulletin MS03-026 Microsoft has released a tool which can
be used to scan a network for the presence of systems which have not had the
MS03-026 patch installed. More details on this tool are available in
Microsoft Knowledge Base article MS03-026. In order to assist customers,
Microsoft has released a tool which can be used to scan a network for the
presence of systems which have not had the MS03-026 patch installed. More
details on this tool are available in Microsoft Knowledge Base article
826369.
RECOVERY:
If your computer has been infected with this virus, please follow the
steps located on this page:
http://www.microsoft.com/security/protect/main.asp. . After updating your
virus definitions please scan your machine using your current antivirus
software, following the instructions for removal. If after you have followed
these steps you need further assistance please contact your preferred
antivirus software vendor or Microsoft Product Support Services.
RELATED MICROSOFT SECURITY BULLETINS:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
As always please make sure to use the latest Anti-Virus detection from
your Anti-Virus vendor to detect new viruses and their variants.
If you have any questions regarding this alert please contact your
Microsoft representative, your preferred antivirus software vendor or
1-866-727-2338 (1-866-PCSafety) within the US, outside of the US please
contact your local Microsoft Subsidiary.
PSS Security Response Team
--
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these
newsgroups
"Antnee" > wrote in message
...
> Theres a new worm going around called Welchia, or Blaster-
> D
>
> It attempts to repair Blaster infections but can cause
> more probs
>
> http://www.visualante.org/news/19-aug-2003/worm.htm
D.Currie
December 5th 03, 12:49 PM
I just found it an interesting "coincidence" that someone recently posted
that this virus-fixer worm would be a good thing, and suddenly it appeared.
But of course, it's easier to write code things that will mess things up
than it would be to write code that is flawless on every machine in every
instance.
Considering that people worry about automated updates that they can control,
I can't imagine anyone wanting worms crawling around their systems
purporting to "fix" things.
"Mike Brannigan [MSFT]" > wrote in message
...
> Yes - somebody did mention it. But frankly if you cannot know what the
true
> content of a worm is then I would certainly not recommend allowing one in
to
> your system to "fix" another problem.
> We would strongly recommend using the published fixes from reputable
> companies as detailed at
> http://www.microsoft.com/security/incident/blast.asp
>
> --
> Regards,
>
> Mike
> --
> Mike Brannigan [Microsoft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights
>
> Please note I cannot respond to e-mailed questions, please use these
> newsgroups
>
> "D.Currie" > wrote in message
> ...
> > Hmmm. wasn't there a poster on these groups a day or so ago who was
> > proposing that this would be a good idea?
> >
> >
> > "Mike Brannigan [MSFT]" > wrote in message
> > ...
> > > Yes - we posted this yesterday
> > >
> > > see
> > >
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/nachi.asp
> > > (copied below)
> > >
> > >
> > > PSS Security Response Team Alert - New Worm: Nachi, Blaster-D, Welchia
> > >
> > > SEVERITY: CRITICAL
> > >
> > > DATE: August 18, 2003
> > >
> > > PRODUCTS AFFECTED: Windows 2000 and XP, Internet Information Services
> > > 5.0
> > >
> > >
> > ************************************************** ********************
> > >
> > > WHAT IS IT?
> > >
> > > A new worm is spreading in the wild. The Microsoft Product
Support
> > > Services Security Team is issuing this alert to advise customers to be
> on
> > > the alert for this virus as it spreads in the wild. Customers are
> advised
> > to
> > > review the information and take the appropriate action for their
> > > environments.
> > >
> > > IMPACT OF ATTACK:
> > >
> > > Network Propagation, Patch Installation
> > >
> > > TECHNICAL DETAILS:
> > >
> > > Similar to the earlier Blaster worm and its variants, this worm
> also
> > > exploits the vulnerability patched by Microsoft Security Bulletin
> > MS03-026,
> > > and instructs target systems to download its copy from the affected
> system
> > > using the TFTP program.
> > >
> > > In addition to exploiting the RPC vulnerability patched by
> Microsoft
> > > Security Bulletin MS03-026 this worm also uses a previously patched
> > > vulnerability in Microsoft Security Bulletin MS03-007 directed at IIS
> 5.0
> > > over port 80 to propagate to un-patched systems.
> > >
> > > In addition upon successful infection this worm also patches
> systems
> > > with the patch for Microsoft Security Bulletin MS03-026. It does this
by
> > > first determining the operating system and then downloading the
> associated
> > > patch for that operating system.
> > >
> > > For additional details on this worm from anti-virus software
> vendors
> > > participating in the Microsoft Virus Information Alliance (VIA) please
> > visit
> > > the following links:
> > >
> > > Network Associates:
> > >
> > > http://vil.nai.com/vil/content/v_100559.htm
> > >
> > > Trend Micro:
> > >
> > >
> > >
> >
>
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.D
> > >
> > > Symantec
> > >
> > >
> > >
> >
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
> > >
> > > For more information on Microsoft's Virus Information Alliance
> > please
> > > visit this link:
http://www.microsoft.com/technet/security/virus/via.asp
> > >
> > > Please contact your Antivirus Vendor for additional details on
> this
> > > virus.
> > >
> > > PREVENTION:
> > >
> > > Turn on Internet Connection Firewall (Windows XP or Windows
Server
> > > 2003) or use a third party firewall to block incoming TCP ports 80,
135,
> > > 139, 445 and 593; UDP ports 135, 137, 38.
> > >
> > > To enable the Internet Connection Firewall in Windows XP please
> see
> > > the instructions below or visit this KnowledgeBase Article:
> > > http://support.microsoft.com/?id=283673
> > >
> > > 1. In Control Panel, double-click Networking and Internet
> > Connections,
> > > and then click Network Connections.
> > >
> > > 2. Right-click the connection on which you would like to enable
> ICF,
> > > and then click Properties.
> > >
> > > 3. On the Advanced tab, click the box to select the option to
> > Protect
> > > my computer or network.
> > >
> > > This worm utilizes two previously-announced vulnerabilities as
> part
> > of
> > > its infection method. Because of this, customers must ensure that
their
> > > computers are patched for the vulnerabilities that are identified in
the
> > > following Microsoft Security Bulletins.
> > >
> > > http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
> > >
> > > http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
> > >
> > > In order to assist customers with the installation of the patch
> for
> > > Microsoft Security Bulletin MS03-026 Microsoft has released a tool
which
> > can
> > > be used to scan a network for the presence of systems which have not
had
> > the
> > > MS03-026 patch installed. More details on this tool are available in
> > > Microsoft Knowledge Base article MS03-026. In order to assist
customers,
> > > Microsoft has released a tool which can be used to scan a network for
> the
> > > presence of systems which have not had the MS03-026 patch installed.
> More
> > > details on this tool are available in Microsoft Knowledge Base article
> > > 826369.
> > >
> > > RECOVERY:
> > >
> > > If your computer has been infected with this virus, please
follow
> > the
> > > steps located on this page:
> > > http://www.microsoft.com/security/protect/main.asp. . After updating
> your
> > > virus definitions please scan your machine using your current
antivirus
> > > software, following the instructions for removal. If after you have
> > followed
> > > these steps you need further assistance please contact your preferred
> > > antivirus software vendor or Microsoft Product Support Services.
> > >
> > > RELATED MICROSOFT SECURITY BULLETINS:
> > >
> > > http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
> > >
> > > http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
> > >
> > > As always please make sure to use the latest Anti-Virus
detection
> > from
> > > your Anti-Virus vendor to detect new viruses and their variants.
> > >
> > > If you have any questions regarding this alert please contact
your
> > > Microsoft representative, your preferred antivirus software vendor or
> > > 1-866-727-2338 (1-866-PCSafety) within the US, outside of the US
please
> > > contact your local Microsoft Subsidiary.
> > >
> > > PSS Security Response Team
> > >
> > >
> > >
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Mike
> > > --
> > > Mike Brannigan [Microsoft]
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights
> > >
> > > Please note I cannot respond to e-mailed questions, please use these
> > > newsgroups
> > >
> > > "Antnee" > wrote in message
> > > ...
> > > > Theres a new worm going around called Welchia, or Blaster-
> > > > D
> > > >
> > > > It attempts to repair Blaster infections but can cause
> > > > more probs
> > > >
> > > > http://www.visualante.org/news/19-aug-2003/worm.htm
> > >
> > >
> >
> >
>
>
Gene K
December 5th 03, 12:50 PM
There is a removal tool for this one at Symantec. They call this virus
"W32.Welchia.Worm. Go here for the removal tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
Gene
"Antnee" > wrote in message
...
> Theres a new worm going around called Welchia, or Blaster-
> D
>
> It attempts to repair Blaster infections but can cause
> more probs
>
> http://www.visualante.org/news/19-aug-2003/worm.htm
vBulletin® v3.6.4, Copyright ©2000-2012, Jelsoft Enterprises Ltd.