AplusWebMaster
August 18th, 2003, 08:12 PM
;) FYI...covered by most AV vendors (in their def updates for 8/18/2003 - already Cat 2 at Symantec and F-Secure) is the W32.Welchia.Worm -
'Got an e-mail from the F-Secure folks about it today:
(Partial quote:)
"For release August 18, 2003
A new worm installs security patches
An anti-virus-virus is spreading
- F-Secure has analysed a new Windows network worm, known as Welchi or Nachi.
This worm is similar to the Lovsan or Blaster worm, which has been spreading
massively in the internet for the last week.
- Welchi uses the same RPC hole to infect machines, although Welchi only
infects machines running Windows XP operating system. However, Welchi also
tries to infect web servers running Microsoft IIS 5.0, by exploiting a WebDAV
vulnerability found in March 2003.
- Welchi is clearly much more advanced than the relatively simple Lovsan worm.
In particular, it has three features, which make it interesting:
1) Welchi kills Lovsan.A.
As this new worm is using the same hole as Lovsan, it will obviously end up
infecting machines, which are already infected by Lovsan. Welchi removes this
infection.
2) Welchi installs the Microsoft RPC security patch.
After infecting a machine, the worm will try to apply the Microsoft patch to
close the RPC hole. It will attempt to download the patch from Microsoft web
site. As the patch is different for different localized versions of Windows,
the worm will check the local language and apply a suitable patch for
English, Korean, Chinese and Simplified Chinese versions of Windows.
3) Welchi dies.
This worm has a built-in expiration date. After January 1st, 2004, the worm
will uninstall and remove itself from infected systems. Users can use this
feature to easily remove the worm: change the date to 2004 and reboot the
system. After this the date can be set back.
- "So, we seem to have an anti-virus-virus here", says Mikko Hypponen, Director
of Anti-Virus Research at F-Secure Corporation. "We've seen similar things
before, but not to the extent of actually applying Microsoft's own patches to
the system. Unfortunately Welchi is not perfect and will create some
additional problems."
- The Welchi virus contains these hidden texts:
'I love my wife & baby
~~~ Welcome Chian~~~
Notice: 2004 will remove myself:)
~~ sorry zhongli~~~'
..."
'Got an e-mail from the F-Secure folks about it today:
(Partial quote:)
"For release August 18, 2003
A new worm installs security patches
An anti-virus-virus is spreading
- F-Secure has analysed a new Windows network worm, known as Welchi or Nachi.
This worm is similar to the Lovsan or Blaster worm, which has been spreading
massively in the internet for the last week.
- Welchi uses the same RPC hole to infect machines, although Welchi only
infects machines running Windows XP operating system. However, Welchi also
tries to infect web servers running Microsoft IIS 5.0, by exploiting a WebDAV
vulnerability found in March 2003.
- Welchi is clearly much more advanced than the relatively simple Lovsan worm.
In particular, it has three features, which make it interesting:
1) Welchi kills Lovsan.A.
As this new worm is using the same hole as Lovsan, it will obviously end up
infecting machines, which are already infected by Lovsan. Welchi removes this
infection.
2) Welchi installs the Microsoft RPC security patch.
After infecting a machine, the worm will try to apply the Microsoft patch to
close the RPC hole. It will attempt to download the patch from Microsoft web
site. As the patch is different for different localized versions of Windows,
the worm will check the local language and apply a suitable patch for
English, Korean, Chinese and Simplified Chinese versions of Windows.
3) Welchi dies.
This worm has a built-in expiration date. After January 1st, 2004, the worm
will uninstall and remove itself from infected systems. Users can use this
feature to easily remove the worm: change the date to 2004 and reboot the
system. After this the date can be set back.
- "So, we seem to have an anti-virus-virus here", says Mikko Hypponen, Director
of Anti-Virus Research at F-Secure Corporation. "We've seen similar things
before, but not to the extent of actually applying Microsoft's own patches to
the system. Unfortunately Welchi is not perfect and will create some
additional problems."
- The Welchi virus contains these hidden texts:
'I love my wife & baby
~~~ Welcome Chian~~~
Notice: 2004 will remove myself:)
~~ sorry zhongli~~~'
..."