Question: How do I
protect my computer from the Welchia (W32.Welchia.Worm)
worm? | Answer:
The
W32.Welchia.Worm worm has been infecting large numbers of
vulnerable computers connected to the Internet since it first
appeared August 18, 2003. The worm has caused some networking
slowdowns and other problems because of the greatly increased ping
(ICMP) traffic coming from infected systems. HiWAAY has received
numerous reports from customers infected by the worm.
Welchia is based upon the Blaster
worm and takes advantage of known vulnerabilities in Windows RPC and
WebDav that allow a remote user to gain access to the targeted
computer. If you have not updated your Windows system with the
latest Microsoft patches, please go to windowsupdate.microsoft.com
and install all the critical updates.
Please note
that this is not an email worm. It's an Internet worm that
moves from computer to computer across the Internet. Welchia attacks
computers through their Internet connections. All computers
connected to the Internet can be attacked by the worm, but only
Windows-based system can be infected. If you are running firewall
software, you will see an increased number of hits on ports 135 and
80 as well as a huge increase in ping (ICMP) traffic.
Welchia sends copies of itself to other vulnerable computers
connected to the Internet. If the copy of the worm reaches a 2000,
XP-based computer that is not patched, Welchia will infect that
computer.
The worm automatically pings networks looking for
online computers. When it finds a system online it sends data to
either TCP port 135 to exploit the Windows RPC vulnerability, or it
will send data to TCP port 80 to exploit the Windows WebDav
vulnerability. The newly compromised computer will connect back to
the attacking system on a randomly selected TCP port between 666 and
765 and wait for the attacker to tell it what to do. The attacking
computer then launches the TFTP server and tells the victim to
download dllhost.exe and svchost.exe and execute the
files. Once the victim is infected, the worm will check to see if
the Microsoft RPC patch is installed. If not, it will attempt to
download the patch and restart the infected system. After
restarting, the worm will check the date and if the year is not
2004, the worm will then attack other systems.
Infected
Windows 2000 systems often become unstable and crash when connected
to the Internet. Infected systems may show none of these symptoms
ever though they continue spreading the worm.
More detailed information can be found
at: Note that the different antivirus companies and
virus research groups all use different names for the Welchia worm.
Welchia is also known as the MSBLAST.D and Nachia
worm.
Prevention:
Protection of Windows-based systems is easy
(Non-Windows-based computers are not affected.).
- Go to Windows
Update and download and install all the critical
updates. Please note that if you do not regularly update your
system, you may have several critical updates to install. Some of
these updates have to be installed alone and some will require you
to restart your computer. To be sure you have all the updates,
it's best to return to windowsupdate.microsoft.com as often as
necessary until all the critical updates are installed and the
site says there are no more available. It is not necessary to
install anything but the critical updates to make certain your
computer is protected from Welchia.
- Make certain your anti-virus software is up to date.
- Run a personal firewall like ZoneAlarm or enabale Windows
XP's built-in firewall following these
steps.
If you are running Windows 2000 or XP and are
crashing as soon as you connect to the Internet, it's possible that
the following methods might help keep you online long enough to
download the Microsoft patches. After installing the updates, you
have to follow the removal instructions below to remove the worm
from your computer.
Configuring Windows RPC
Service (These settings should be default for Windows 2000.)
- Open the Control Panel.
- Double-click on "Administrative Tools"
- Double-click on "Services".
- Search the list for "Remote Procedure Call (RPC)" and
double-click it.
- Click the "Recovery" tab.
- In the pull down menus for "First failure", "Second failure"
and "Subsequent failures", select "Take No Action" for all
three.
- Click "OK" and close "Services".
Please note that this will not remove the worm from
infected systems. It is just a workaround to help you get the
patches needed to protect your computer. You have to follow the
removal instructions below to stop the worm from using your
computer.
Enabling the
Windows XP Firewall We strongly recommend that Windows
XP users turn on the built-in Windows XP firewall. To turn on XP's
firewall protection follow these steps:
- Open the Control Panel.
- Double-click "Network Connections"
- Right click on the HiWAAY icon, "My Connection" icon or
other icon if you chose a different name.
- Select "Properties".
- Select the "Advanced" tab.
- Select or check "Protect my computer and network by limiting
or preventing access to this computer from the Internet".
- Click "OK". (You may get a warning telling you full
protection won't be available for current connections. If you
do, click "OK" in the warning box and reboot.)
Please note that this will
not remove the worm from infected systems. It is just a
workaround to help you get the patches needed to protect your
computer. You have to follow the removal instructions below to stop
the worm from using your computer.
Disabling
DCOM The steps below are quoted directly from Microsoft
Security Bulletin MS03-026. HiWAAY Support has not tested this
workaround but I've included it in case the above two methods fail
to allow you to connect long enough to download the patches.
- Run Dcomcnfg.exe.
If you are running Windows XP or
Windows Server 2003 perform these additional steps:
- Click on the Component Services node under Console Root.
- Open the Computers sub-folder.
- For the local computer, right click on My Computer and
choose Properties.
- For a remote computer, right click on the Computers folder
and choose New then Computer. Enter the computer name. Right
click on that computer name and choose Properties.
- Choose the Default Properties tab.
- Select (or clear) the Enable Distributed COM on this
Computer check box.
- If you will be setting more properties for the machine,
click the Apply button to enable (or disable) DCOM. Otherwise,
click OK to apply the changes and exit Dcomcnfg.exe.
Please note that this will
not remove the worm from infected systems. It is just a
workaround to help you get the patches needed to protect your
computer. You have to follow the removal instructions below to stop
the worm from using your computer.
Removal: If you are
infected with Welchia, you should go to http://sarc.com/avcenter/venc/data/w32.welchia.worm.removal.tool.htmland
download Symantec's Welchia Removal Tool.
Please note that
unless you update your computer with the Microsoft critical
updates, your computer will get reinfected with either Welchia
or Blaster when you go back online.
You should also install
up-to-date antivirus software and use it to scan your system.
Anti-Virus
Software Update Sites: We've included links below to
some of the more popular anti-virus program update sites.
New definitions are released constantly.
Please check with your anti-virus vendor for the latest files.
HiWAAY does not warrant that any of the tools and patches
listed above will protect or repair a system, nor can we offer
support on the complex task of manually removing the Welchia worm
and verifying system integrity.
|