Shared Hosting
         Support Home
         Network Status

 Problem Solving Tools
         Virus Information
         Hosting Service
         E-Mail Service
         Billing Issues
         How-To's

 Other Services
         Download Resources

       





W32.Welchia..Worm
Information reported from www.Symantec.com

CTS Internet offers this information as a service to it's customers. We do not support the removal or customer support to deal with such instances via telephone OR e-mail without charge.

Information provided on this page is for reference only. NO warranty is expressed or implied what-so-ever. Customers should use this information at their own risk. CTS Internet recommends that you contact a professional when ever any doubt arises about handing a virus with your computer.

CTS offers assistance with most viruses for a fee. If you are interested in our paid service, please contact customer support.

Important Notes:
Due to an increase in submissions, Symantec Security Response has upgraded W32.Welchia.Worm to Category 4, as of 6:00pm Monday, August 18, 2003.

W32.Welchia.Worm is a worm that exploits multiple vulnerabilities:
 

  • exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.
     

  • exploits the WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit.


The worm attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.

The worm checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic.

The worm will also attempt to remove W32.Blaster.Worm.

Symantec Security Response has developed a removal tool to clean the infections of W32.Welchia.Worm.

CTS NOTE:
Please read the supporting information carefully. This patch may not be necessary on all machines. This virus attacks similarly to the W32.Blaster.Worm virus, however, it is patch partially by the same fix as this. In addition, The W32.Welchia.Worm virus ALSO attacks machines running IIS 5.0, typically found on Windows 2003, and Windows XP. IIS 5.0 is NOT installed by default and most end users may not be affected by the TCP port 80 vulnarability.

 

More reading information about this virus:

What You Should Know About the Blaster Worm and Its Variants

Microsoft Security Bulletin MS03-026

Microsoft Security Bulletin MS03-007

Symantec's SARC bulletin regarding the W32.Welchia.Worm Virus

Symantec's Tool for removing the W32.Welchia.Worm Virus


CTS Internet Support
763-535-8855 x10

 

© 2003 CTS Internet Services, a Division of CTS Web of Minnesota