DID nod32 update the defs for Welchia.worm?

Discussion in 'NOD32 version 2 Forum' started by testg, Aug 19, 2003.

Thread Status:
Not open for further replies.
  1. testg

    testg Guest

    Copies itself to:

    %System%\Wins\Dllhost.exe

    NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


    Makes a copy of %System%\Dllcache\Tftpd.exe, as %System%\Wins\svchost.exe.

    NOTE: Svchost.exe is a legitimate program, which is not malicious, and therefore Symantec antivirus products will not detect it.


    Creates the following services:

    Service Name: RpcTftpd
    Service Display Name: Network Connections Sharing
    Service Binary: %System%\wins\svchost.exe

    This service will be set to start manually.

    Service Name: RpcPatch
    Service Display Name: WINS Client
    Service Binary: %System%\wins\dllhost.exe

    This service will be set to start automatically.


    Ends the process, Msblast, and delete the file %System%\msblast.exe which is dropped by the worm, W32.Blaster.Worm.


    The worm will select the victim IP address in two different ways. It will either use A.B.0.0 from the infected machine's IP of A.B.C.D and count up, or it will construct a random IP address based on some hard-coded addresses. After selecting the start address, it will count up through a range of Class C sized networks, for example, if it starts at A.B.0.0, it will count up to at least A.B.255.255.


    The worm will send an ICMP echo, or PING, to check if the IP address constructed is an active machine on the network.


    Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability.


    Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions.


    Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe.


    Checks the computer's operating system version, Service Pack number, and System Locale and attempts to connect to Microsoft's Windows Update and download the appropriate DCOM RPC vulnerability patch.


    Once the update has been download and executed, the worm will restart the computer so that the patch is installed.


    Checks the computer's system date. If the year is 2004, the worm will disable and remove itself.
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    It does under the name Lovsan.D

    regards.

    paul
     
  3. testg

    testg Guest

    Thank You very much.
    Darn it how I wish that everyone AV company actually standardized their nameing scheme. :) I am not blameing you or anyone else it's just annoying to see 1 worm haveing 10 names.

    For example hypothetical:
    KAV: worm.testiclecrucher
    MacAffe: worm.ballsasounder
    Symantec: worm.letsjustmakeitup

    etc.
     
  4. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    I second testg's lament. In fact, testg's hypothetical naming scheme would be easier to remember, not to mention hilarious. ;)
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    testg,

    Don't hold your breath - I for one don't believe it will happen, ever. As soon as an AV company get's hold on a new piece of malware, it will be databased and named as soon as possible. Company A is quickly followed by company B, C etc. Even in case they want to, there's simply no time to contact one another before releasing a new database update. And a database update needs names for the newly added malware...

    regards.

    paul
     
  6. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Why do you want to know, only for checking your AV is up-to-date?
    If you have that much trust...
    Dolf
     
  7. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    What I would like to see more than the standardization of the names, which I agree with Paul will probably never happen, would be for Eset to add immediately to their website information on any important virus or varient. I am aware that Eset is making an effort now to improve their web site and it is much better now. There is still room for considerable improvement though. Not only are only some viruses mentioned there, but it takes several hours to get the latest database list on the site. That should ideally go up before or at the time of the release. It is frustrating to have the latest update but then have to check repeatedly for hours before seeing the latest data base list on NOD's website. (Plus, without the database, I can't post at DSLR and show that NOD got the definitions first for such and such a virus that is currently being talked about...grrrr).

    When you check the virus descriptions list, it says "Last updated on: Tue, 13 May 2003 21:11:15 GMT". Then it also says "Since this information is constantly updated with new virus descriptions, the downloaded file can become obsolete after a certain amount of time - that's why it is recommended to download its latest version regularly (about once a month)." Gee, there hasn't been an update to the base for over three months...but we should download the "latest version" every month? I think Eset has gotten ahead of itself here...a bit of wishful thinking? :)

    There has been great improvement in the website and I really appreciate that. However, I would very much like to read a description of W32.Welchia.Worm at the NOD site for instance today ...not two months from now or whenever the virus descriptions are finally updated. I would like to be able to come to the NOD site and read about the latest threats (and yes, there is one new one listed today so I am grateful for that one) , and be able to post what Eset says about them over at DSLR where everyone is posting what Trend Micro, F -Secure, Dr. Web, etc is saying about them, but seldom does Eset have anything about the latest threats. I'd love to see that change as NOD would get more exposure if I or other NOD users could post information from Eset as others do for other avs.
     
Thread Status:
Not open for further replies.