NEW VIRUS ALERT...but um its a good one?!?!?

Discussions of applications and operating systems and any problems, tips or suggestions. Win XP, 9x/2k, Linux, NT, photo editing, Virus/Spyware help
Post Reply
Dethcon
Goober Member
Posts: 8
Joined: Tue Aug 05, 2003 10:02 am
Location: Glenview,IL
Contact:
Contact Dethcon

NEW VIRUS ALERT...but um its a good one?!?!?

Post by Dethcon »

W32.Welchia.Worm

Symantec

W32.Welchia.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.

The worm will also attempt remove W32.Blaster.Worm.

Also Known As: W32/Welchia.worm10240 [AhnLab], W32/Nachi.worm [McAfee], WORM_MSBLAST.D [Trend], Lovsan.D [F-Secure]

Type: Worm

Systems Affected: Windows 2000, Windows XP

When W32.Welchia.Worm is executed, it preforms the following actions:


Copies the file:

%System%\Wins\Dllhost.exe

and registers itself as a service.

NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Makes a copy of %System%\Dllcache\Tftp.exe, names it Svchost.exe, and copies it to the %System%\Wins folder.

NOTE: Svchost.exe is a legitimate program. It is not malicious and therefore Symantec antivirus products do not detect them. You will have to delete them manually.

Ends the process Msblast.exe, dropped by the W32.Blaster.Worm, if the process is running.

Deletes the Msblast.exe file.

Checks the computer's operating system version and Service Pack number.

Generates an IP address and scans for computers using ICMP ping packets. IP addresses are generated according to the following algorithm:
The IP address is in the form of A.B.C.D, where A and B are taken from the Local Area Network.
The worm starts C and D at 0, and then increments D by 1, until it reaches 255.
When D reaches 255, it increments C by 1 and resets D to 0.
This pattern continues until the IP address reaches A.B.255.255.

Sends data to TCP port 135 that may exploit the DCOM RPC vulnerability.

Creates a remote shell on the vulnerable host, and opens a connection to TCP port 707 on the attacking computer.

Launches the TFTP server on the vulnerable host, connects to the attacker, and downloads Dllhost.exe and Svchost.exe.

Attempts to connect to Microsoft's Windows Update and download the DCOM RPC vulnerability patch.

Once the update has been download and executed, the worm will reboot the computer so that the patch is installed.

Checks the computer's system date. If the date is January 1, 2004, the worm will disable itself.
When ever your having a bad day and you feel like everyone is out to piss you off and put you down REMEMBER it takes 32 muscles to frown but only 4 to pull the trigger of a decent sniper rifle.
Image
Top
Post Reply

Return to “OS / Software Forum”