WELCHIA Worm?

[theSoulfulMofo]

Ok, here's the deal...

Around last week, I've been getting Norton Internet Security Popups about a Intrusion Alert regarding a Welchia ICMP Scan from MY COMPUTER to another IP address.

I updated my Norton AV, ran it, and even ran it in Safe Mode. I also used the Symantec Welchia Removal Tool... But none of these programs found the suspected Welchia on my computer.

How can I find something my computer can't see?

What should I do now?

Advice, anyone?

thanks,
sfmf

 

[melon]

http://www.sarc.com/avcenter/venc/data/w32.welchia.worm.html

Read the fine print. Computers infected with the worm actively scan IP addresses looking for computers that have not patched the DCOM RPC exploit, which only occurs in Windows 2000/XP machines. That's where the "Welchia ICMP Scan" comes from. If you have the patch already installed, W32/Welchia moves on. If you don't, it exploits the RPC exploit to download itself to your computer, thus infecting it.

The irony of this worm is that it appears to be one of those "vigilante" worms, done by someone who, rather than trying to cause damage, actually wrote it to try and help people. It exploits the RPC problem--the same one that W32/Blaster is most famous for--but, once infected, removes W32/Blaster, downloads the DCOM RPC exploit patch from Windows Update, and restarts your computer. After January 1, 2004, the worm is programmed to remove itself, but only on computers that restart regularly; if W32/Welchia has infected a computer or server that is continuously on, it would still be there, and, hence, is still making ICMP scans like the one above.

Funny, isn't it? You aren't infected.

Melon

 

[theSoulfulMofo]

Thanks, melon.

So you're saying... this worm goes around infecting other active machines with vulnerabilities, only to instruct the victim to download Microsoft Windows Update Patch to resolve that vulnerability from potential exploitation?



That's a bit to me... Now I just have to watch that Alert PopUP every time I boot my computer. Why couldn't Windows Update just make it a critical patch for my periodic Automated Update Systems, so there would be no need for a "vigilante virus."

Anyways... thanks, melon and mr.cyberpunk.vigilante

What a William Gibson world we live in.

-zfmf

 

[melon]

If you are on automatic update, the patch was downloaded months before W32/Blaster or W32/Welchia even existed, but that isn't going to stop these viruses from scanning for your address. If it detects the RPC patch already installed, it cannot infect your system, and it moves on. Your "intrusion alert" merely records that the worm tried to infect your computer...but it failed nonetheless.

The "vigilante virus" downloads the same exact patch that Microsoft created. That's why it is so very odd, but a lot of people have their automatic updates disabled, or, in the case of Windows 2000, it doesn't exist. So most people rarely, if ever, go to Windows Update, either out of laziness or ignorance, and, thus, get infected.

Melon

 

[theSoulfulMofo]

ok... the Intrusion Alert says that the Attack was FROM MY COMPUTER to another IP... ie, outbound from my computer.

Does that mean, the worm ALREADY INFECTED my computer... or is MY COMPUTER gong VIGILANTE SPREE???

 

[melon]

1) Go to Windows Update. Install all of the critical updates, at minimum.
2) Update your antivirus to the absolute newest version. Scan everything. W32/Welchia isn't new; it's old.
3) It could be a false positive. Make sure you've updated Norton Security to its newest version.

Melon

 

[theSoulfulMofo]

ok, thanks again.

 

[Bonochick]

Melon is super smart.

He makes me feel inadequate.

 

[OzAurora]

I hate any kind of worm virus, how is this for bullshit!!!

I got a new laptop in Feb that runs off XP and the first time I got online my computer got infected with a worm virus which made my computed shutdown within about 5 minutes of going online. Now I was silly enough to go online for the first time without setting up my McAffee protection and within, and I am not bullshitting here, 2 mins my computer was infected. For years my previous com, which ran on 95 never had any kind of protection and it never got infected so I was going to install the Mcaffee soon, but I didnt think that it was that essential for the first time..................how naieve was I, now I wouldnt dream of going online without everything updated, firewalled and protected.............

 

[melon]

There are enough computers infected with W32/Blaster that any unpatched RPC exploit will have you infected in no time at all.

Your laptop seller should have had everything patched ahead of time, but I guess that they didn't.

Melon

 

[Liesje]

I don't have time to read all the posts, but if you're scanning and not finding the worm, it's probably running. Do the virus scan/removal in Safe Mode and it will find and quarantine/delete the welchia.

 

[theSoulfulMofo]

*bump*

I still have the same problem with I boot up.

so you guys think if I can delete the RPC value in my Windows registry that I can get rid of the "false positive"?

I read elsewhere on the net, other Norton users are experiencing the same problems as I. (These people have the latest Norton 2004, while I have 2003.)

 

[Liesje]

Re: *bump*

I still have the same problem with I boot up.

so you guys think if I can delete the RPC value in my Windows registry that I can get rid of the "false positive"?

I read elsewhere on the net, other Norton users are experiencing the same problems as I. (These people have the latest Norton 2004, while I have 2003.)

There IS something you can change with the RPC thingy. I don't remember off-hand, but I fix computers for my job and one of the other guys who does more of this stuff showed me how to stop it. I can ask him next week when I'm back from vacation...