Welchia/Nachi Weirdness

Discussion in 'malware problems & news' started by JimIT, Oct 23, 2003.

Thread Status:
Not open for further replies.
  1. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Well, just for grins, I put an unpatched, but AV-protected machine on the wire to see what would happen w/Blaster-Welchia, using a fresh install of w2k w/AntiVir PE to mess around. AntiVir also does a full system scan after install, which turned up nothing.

    About 20 minutes later, I hear a "beep!", and sure enough, there sits Welchia in quarantine, and AntiVir shows 1 nasty intercepted.

    HOWEVER, upon checking the quarantined file, I also discovered a .com file beside it which AntiVir has ID'd as Atom!

    Assuming this is a false-positive, I quickly tested with NAV, and Housecall, and darned if they both didn't flag Atom also.

    My question is: Is it possible that something piggy-backed with Welchia?
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Well, why think that it had to piggy-back on anything? From what you said it was an unpatched W2K machine with only an AV running. (You didn't say what services it was running - all defaults perhaps?) Welchia isn't the only nasty out there. I think you can expect any number of malware infections on such a machine.
     
  3. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    I suppose. It's just unusual to see that virus bouncing around, as I've never encountered it otherwise. Seems odd that it would just waltz in like that.

    Ah well. Learn something new every day. ;)
     
Thread Status:
Not open for further replies.