Welchia.B Worm Upgraded to Level 3 [latest virus created to remove other virus]

Symantec ^ | 2/13/2004

[FourPeas]

As of February 13, 2003, due to a increased rate of submissions, Symantec Security Response has upgraded this threat to a Category 3 from a Category 2.

W32.Welchia.B.Worm is a variant of W32.Welchia.Worm. If the version of the operating system of the infected machine is Chinese, Korean, or English, the worm will attempt to download the Microsoft Workstation Service Buffer Overrun and Microsoft Messenger Service Buffer Overrun patches from the Microsoft® Windows Update Web site, install it, and then restart the computer.

The worm also attempts to remove W32.Mydoom.A@mm and W32.Mydoom.B@mm worms.

W32.Welchia.B.Worm exploits multiple vulnerabilities, including:

The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit. The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. The worm's use of this exploit will impact Windows 2000 systems and may impact Windows NT/XP systems. The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. The Locator service vulnerability using TCP port 445 (described in Microsoft Security Bulletin MS03-001). The worm specifically targets Windows 2000 machines using this exploit.

The presence of the file, %Windir%\system32\drivers\svchost.exe, is an indication of a possible infection.

This threat is compressed with UPX.

[FourPeas]

I find this absolutely fascinating. Some geek somewhere spends his spare time writing code to break its way into others' computers and remove worms/viruses. Asside from the grief it gives IT security professionals, I like it, especially given the number of MyDoom infected e-mails I continue to receive.

[Cicero]

This worm apparently deals with one of the DCOM vulnerabilities. I recommend downloading DCOMbobulator from Gibson Research and using it to disable DCOM entirely. You don't need it unless your computer is networked in a work environment that uses it, and it's responsible for many vulnerabilities that MS has been fixing piecemeal.

I also recommend Gibson's ShootTheMessenger, unless for some strange reason your work environment uses MS Messenger. I also recommend SocketLock and UnPlugNPray. These are all small programs that change the default settings and do not reside in memory, and they all have provisions for resetting the settings if you change your mind. Basically, these are all unneeded toys and gadgets in Windows that can be exploited by hackers, so they are better switched off.

[Glenn]

The presence of the file, %Windir%\system32\drivers\svchost.exe, is an indication of a possible infection.

That being said:

Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

[js1138]

I like it, especially given the number of MyDoom infected e-mails I continue to receive.

Interesting. I haven't seen a single instance of mydoom at home, although the server at work logs several a day. I wonder if some ISPs are filtering them out. I certainly got hit by Klez before installing Norton.

[reformed_democrat]

The worm specifically targets Windows XP machines using this exploit . . . The worm specifically targets machines running Microsoft IIS 5.0 . . . The worm's use of this exploit will impact Windows 2000 systems and may impact Windows NT/XP systems.

The only good thing about WinME (which I have -- yes, its a long, sad story, no, I don't want to talk about it) is that no one bothers to attack it. It causes enough headaches on its own.

[FourPeas]

no one bothers to attack it

Even hackers have a compassionate side. :) My condolences on your operating system.

[FourPeas]

I wondered the same about ISPs filtering. Our domain hosting service has been tinkering with spam filtering although I can't tell much of a difference. The service appeared to filter a few of the more destructive viruses, but the MyDoom still comes through in force. I still receive anywhere from 10-12 a day, primarily on just one of my accounts.

[reformed_democrat]

Even hackers have a compassionate side.

I don't know whether to laugh or cry.