VIRUS W32.Welchia.Worm

Discussion in 'malware problems & news' started by AplusWebMaster, Aug 18, 2003.

Thread Status:
Not open for further replies.
  1. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    ;) FYI...covered by most AV vendors (in their def updates for 8/18/2003 - already Cat 2 at Symantec and F-Secure) is the W32.Welchia.Worm -
    'Got an e-mail from the F-Secure folks about it today:

    (Partial quote:)
    "For release August 18, 2003
    A new worm installs security patches
    An anti-virus-virus is spreading
    - F-Secure has analysed a new Windows network worm, known as Welchi or Nachi.
    This worm is similar to the Lovsan or Blaster worm, which has been spreading
    massively in the internet for the last week.
    - Welchi uses the same RPC hole to infect machines, although Welchi only
    infects machines running Windows XP operating system. However, Welchi also
    tries to infect web servers running Microsoft IIS 5.0, by exploiting a WebDAV
    vulnerability found in March 2003.
    - Welchi is clearly much more advanced than the relatively simple Lovsan worm.
    In particular, it has three features, which make it interesting:

    1) Welchi kills Lovsan.A.
    As this new worm is using the same hole as Lovsan, it will obviously end up
    infecting machines, which are already infected by Lovsan. Welchi removes this
    infection.
    2) Welchi installs the Microsoft RPC security patch.
    After infecting a machine, the worm will try to apply the Microsoft patch to
    close the RPC hole. It will attempt to download the patch from Microsoft web
    site. As the patch is different for different localized versions of Windows,
    the worm will check the local language and apply a suitable patch for
    English, Korean, Chinese and Simplified Chinese versions of Windows.
    3) Welchi dies.
    This worm has a built-in expiration date. After January 1st, 2004, the worm
    will uninstall and remove itself from infected systems. Users can use this
    feature to easily remove the worm: change the date to 2004 and reboot the
    system. After this the date can be set back.
    - "So, we seem to have an anti-virus-virus here", says Mikko Hypponen, Director
    of Anti-Virus Research at F-Secure Corporation. "We've seen similar things
    before, but not to the extent of actually applying Microsoft's own patches to
    the system. Unfortunately Welchi is not perfect and will create some
    additional problems
    ."
    - The Welchi virus contains these hidden texts:
    'I love my wife & baby
    ~~~ Welcome Chian~~~
    Notice: 2004 will remove myself:)
    ~~ sorry zhongli~~~'
    ..."
     
  2. yorkdale

    yorkdale Registered Member

    Joined:
    Jun 16, 2002
    Posts:
    38
    Location:
    United Kingdom
    So we are left with a question or two. Who wrote this, a white hat or black hat? Sounds helpful in fixing the patching problem, using worm technology to work against itself. OTOH could be a piece of behavior psychology, letting us think there are "good viruses" out there so we become less vigilant or more willing to accept the concept of "ends justify the means"?

    The overriding conclusion has to be, whatever good comes from this or any other worm, it is still invasive code and should be defended against as if its intent or design is malevolent. I personally place this one in the same category as the course in virus writing being offered by the University of Calgary.
     
  3. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    :( FYI...from the Internet Storm Center:

    Increase in ICMP scans
    Updated August 18th 2003 14:46 EDT
    http://isc.sans.org/diary.html?date=2003-08-18
    Over the last few hours, sensors detected a remarkable increase in ICMP traffic. At this point, we assume that the traffic is linked to the 'Nachi' worm:http://vil.nai.com/vil/content/v_100559.htm. The worm is also known as 'Welchia' ( http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html )
    While the investigation is still in progress, we did identify so far the following characteristics:
    - some of the traffic is spoofed
    - the data content is all '170' (0xAA)
    - ICMP echo requests (type 8, code 0)..."

    EDIT/ADD: Moving with the speed of thought - "Due to an increase in submissions, Symantec Security Response has upgraded W32.Welchia.Worm to Category 4, as of 6:00pm Monday, August 18, 2003."
    Per:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
     
  4. Rickster

    Rickster Guest

    Thanks AplusWebMaster-Man! That makes it clear now and I'm very grateful. Must be the year of the worm. In less than a week we went from MSBlaster A to D...someone is having a good time out there.

    Best Regards, Rickster
     
  5. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    :( ...No doubt what has caused Web performance problems lately:

    See the site; in particular:
    "Rolling 28-day Latency, Packet Loss, and Reachability"
    http://average.matrixnetsystems.com/

    - From this post:
    https://www.wilderssecurity.com/showthread.php?t=12613;start=msg82932#msg82932
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.