| VID |
24065 |
| Severity |
40 |
| Port |
707 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
The Welchia worm seems to be infected on the Windows system.
The Welchia worm propagates by exploiting the vulnerability described in Microsoft Security Bulletin MS03-026, titled, "Buffer Overrun In RPC Interface Could Allow Code Execution" announced July 16, 2003. The worm also attempts to spread using a buffer overflow exploit for the WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
W32.Welchia.Worm does the following:
- Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.
- Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic.
- Attempts to remove W32.Blaster.Worm.
- Installs a TFTP server on all the infected machines.
- Creates a remote shell on the vulnerable host that will reconnect to the attacking computer on a 707/tcp port to receive instructions.
* References:
http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=49258
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.D
http://www.sophos.com/virusinfo/analyses/w32nachia.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
http://home.ahnlab.com/smart2u/virus_detail_1206.html
http://xforce.iss.net/xforce/alerts/id/150
http://www.cert.org/advisories/CA-2003-19.html
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
* Platforms Affected:
Microsoft IIS
Microsoft Windows Any version |
| Recommendation |
Remove it from the infected computer by using a anti-virus program (vaccine program). If you do not have an anti-virus program installed, download and install one of the following free worm cleaners:
1. Trend Micro System Cleaner at http://www.trendmicro.com/download/tsc.asp
2. CA Virus Information Center Cleaning Utility at http://www3.ca.com/Files/VirusInformationAndPrevention/ClnNachi.zip
3. Symantec DCOM Cleaner at http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
4. SOPHOS W32/Nachi-A Cleaner at http://www.sophos.com/support/disinfection/nachia.html
-- AND --
Apply the appropriate patch for your system, as listed in Microsoft's security bulletin MS03-026 at http://www.microsoft.com/technet/security/bulletin/ms03-026.asp
And If an IIS Web server is running on the system and has not been applied the patch for the WebDav vulnerability described in Microsoft Security Bulletin MS03-007, apply the appropriate patch for your system at http://www.microsoft.com/technet/security/bulletin/ms03-007.asp |
| Related URL |
CVE-2003-0109,CVE-2003-0352 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
