WELCHIA Worm? - U2 Feedback

Go Back   U2 Feedback > Lypton Village > Lemonade Stand > Lemonade Stand Archive
Click Here to Login
 
 
Thread Tools Search this Thread Display Modes
 
Old 03-30-2004, 04:48 PM   #1
Rock n' Roll Doggie
Band-aid
 
theSoulfulMofo's Avatar
 
Join Date: Aug 2001
Posts: 4,490
Local Time: 10:09 AM
WELCHIA Worm?

Ok, here's the deal...

Around last week, I've been getting Norton Internet Security Popups about a Intrusion Alert regarding a Welchia ICMP Scan from MY COMPUTER to another IP address.

I updated my Norton AV, ran it, and even ran it in Safe Mode. I also used the Symantec Welchia Removal Tool... But none of these programs found the suspected Welchia on my computer.

How can I find something my computer can't see?

What should I do now?

Advice, anyone?

thanks,
sfmf
__________________

__________________
theSoulfulMofo is offline  
Old 03-30-2004, 10:56 PM   #2
ONE
love, blood, life
 
melon's Avatar
 
Join Date: Oct 2000
Location: Toronto, Ontario
Posts: 11,781
Local Time: 12:09 PM
http://www.sarc.com/avcenter/venc/da...chia.worm.html

Read the fine print. Computers infected with the worm actively scan IP addresses looking for computers that have not patched the DCOM RPC exploit, which only occurs in Windows 2000/XP machines. That's where the "Welchia ICMP Scan" comes from. If you have the patch already installed, W32/Welchia moves on. If you don't, it exploits the RPC exploit to download itself to your computer, thus infecting it.

The irony of this worm is that it appears to be one of those "vigilante" worms, done by someone who, rather than trying to cause damage, actually wrote it to try and help people. It exploits the RPC problem--the same one that W32/Blaster is most famous for--but, once infected, removes W32/Blaster, downloads the DCOM RPC exploit patch from Windows Update, and restarts your computer. After January 1, 2004, the worm is programmed to remove itself, but only on computers that restart regularly; if W32/Welchia has infected a computer or server that is continuously on, it would still be there, and, hence, is still making ICMP scans like the one above.

Funny, isn't it? You aren't infected.

Melon
__________________

__________________
melon is offline  
Old 03-31-2004, 12:00 AM   #3
Rock n' Roll Doggie
Band-aid
 
theSoulfulMofo's Avatar
 
Join Date: Aug 2001
Posts: 4,490
Local Time: 10:09 AM

Thanks, melon.

So you're saying... this worm goes around infecting other active machines with vulnerabilities, only to instruct the victim to download Microsoft Windows Update Patch to resolve that vulnerability from potential exploitation?



That's a bit to me... Now I just have to watch that Alert PopUP every time I boot my computer. Why couldn't Windows Update just make it a critical patch for my periodic Automated Update Systems, so there would be no need for a "vigilante virus."

Anyways... thanks, melon and mr.cyberpunk.vigilante

What a William Gibson world we live in.

-zfmf
__________________
theSoulfulMofo is offline  
Old 03-31-2004, 12:08 AM   #4
ONE
love, blood, life
 
melon's Avatar
 
Join Date: Oct 2000
Location: Toronto, Ontario
Posts: 11,781
Local Time: 12:09 PM
If you are on automatic update, the patch was downloaded months before W32/Blaster or W32/Welchia even existed, but that isn't going to stop these viruses from scanning for your address. If it detects the RPC patch already installed, it cannot infect your system, and it moves on. Your "intrusion alert" merely records that the worm tried to infect your computer...but it failed nonetheless.

The "vigilante virus" downloads the same exact patch that Microsoft created. That's why it is so very odd, but a lot of people have their automatic updates disabled, or, in the case of Windows 2000, it doesn't exist. So most people rarely, if ever, go to Windows Update, either out of laziness or ignorance, and, thus, get infected.

Melon
__________________
melon is offline  
Old 03-31-2004, 12:16 AM   #5
Rock n' Roll Doggie
Band-aid
 
theSoulfulMofo's Avatar
 
Join Date: Aug 2001
Posts: 4,490
Local Time: 10:09 AM


ok... the Intrusion Alert says that the Attack was FROM MY COMPUTER to another IP... ie, outbound from my computer.

Does that mean, the worm ALREADY INFECTED my computer... or is MY COMPUTER gong VIGILANTE SPREE???
__________________
theSoulfulMofo is offline  
Old 03-31-2004, 12:27 AM   #6
ONE
love, blood, life
 
melon's Avatar
 
Join Date: Oct 2000
Location: Toronto, Ontario
Posts: 11,781
Local Time: 12:09 PM
1) Go to Windows Update. Install all of the critical updates, at minimum.
2) Update your antivirus to the absolute newest version. Scan everything. W32/Welchia isn't new; it's old.
3) It could be a false positive. Make sure you've updated Norton Security to its newest version.

Melon
__________________
melon is offline  
Old 03-31-2004, 12:36 AM   #7
Rock n' Roll Doggie
Band-aid
 
theSoulfulMofo's Avatar
 
Join Date: Aug 2001
Posts: 4,490
Local Time: 10:09 AM
ok, thanks again.
__________________
theSoulfulMofo is offline  
Old 03-31-2004, 12:50 AM   #8
Halloweenhead
Forum Moderator
 
Bonochick's Avatar
 
Join Date: Nov 2000
Location: Cherry Lane
Posts: 40,816
Local Time: 01:09 PM

Melon is super smart.

He makes me feel inadequate.

__________________
"Knight in shining Zubaz."

Bonochick [at] interference.com
Bonochick is offline  
Old 03-31-2004, 06:16 AM   #9
Refugee
 
OzAurora's Avatar
 
Join Date: Nov 2000
Location: The Sunshine Coast, Queensland, Australia
Posts: 1,612
Local Time: 04:09 AM
I hate any kind of worm virus, how is this for bullshit!!!

I got a new laptop in Feb that runs off XP and the first time I got online my computer got infected with a worm virus which made my computed shutdown within about 5 minutes of going online. Now I was silly enough to go online for the first time without setting up my McAffee protection and within, and I am not bullshitting here, 2 mins my computer was infected. For years my previous com, which ran on 95 never had any kind of protection and it never got infected so I was going to install the Mcaffee soon, but I didnt think that it was that essential for the first time..................how naieve was I, now I wouldnt dream of going online without everything updated, firewalled and protected.............
__________________
OzAurora is offline  
Old 03-31-2004, 11:15 AM   #10
ONE
love, blood, life
 
melon's Avatar
 
Join Date: Oct 2000
Location: Toronto, Ontario
Posts: 11,781
Local Time: 12:09 PM
There are enough computers infected with W32/Blaster that any unpatched RPC exploit will have you infected in no time at all.

Your laptop seller should have had everything patched ahead of time, but I guess that they didn't.

Melon
__________________
melon is offline  
Old 03-31-2004, 01:20 PM   #11
Blue Crack Addict
 
Liesje's Avatar
 
Join Date: Mar 2002
Location: In the dog house
Posts: 19,557
Local Time: 12:09 PM
I don't have time to read all the posts, but if you're scanning and not finding the worm, it's probably running. Do the virus scan/removal in Safe Mode and it will find and quarantine/delete the welchia.
__________________
Liesje is offline  
Old 04-07-2004, 04:33 PM   #12
Rock n' Roll Doggie
Band-aid
 
theSoulfulMofo's Avatar
 
Join Date: Aug 2001
Posts: 4,490
Local Time: 10:09 AM
*bump*

I still have the same problem with I boot up.

so you guys think if I can delete the RPC value in my Windows registry that I can get rid of the "false positive"?

I read elsewhere on the net, other Norton users are experiencing the same problems as I. (These people have the latest Norton 2004, while I have 2003.)
__________________
theSoulfulMofo is offline  
Old 04-07-2004, 10:22 PM   #13
Blue Crack Addict
 
Liesje's Avatar
 
Join Date: Mar 2002
Location: In the dog house
Posts: 19,557
Local Time: 12:09 PM
Re: *bump*

Quote:
Originally posted by theSoulfulMofo
I still have the same problem with I boot up.

so you guys think if I can delete the RPC value in my Windows registry that I can get rid of the "false positive"?

I read elsewhere on the net, other Norton users are experiencing the same problems as I. (These people have the latest Norton 2004, while I have 2003.)
There IS something you can change with the RPC thingy. I don't remember off-hand, but I fix computers for my job and one of the other guys who does more of this stuff showed me how to stop it. I can ask him next week when I'm back from vacation...
__________________

__________________
Liesje is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -5. The time now is 12:09 PM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Design, images and all things inclusive copyright © Interference.com