Warning About Another Possible Computer Virus

**Denyce** · 08-20-2003, 11:08 AM

We just got 2 different ones from Ag support here at Penn State. Those are the only ones I take seriously.

The following virus has been identified within the College of Ag
Sciences. This virus affects the following computer systems:

- Microsoft Windows 2000
- Microsoft Windows XP

W32.Welchia.Worm is a worm that exploits multiple vulnerabilities:
* It exploits the DCOM RPC vulnerability (described in Microsoft
Security Bulletin MS03-026) using TCP port 135. The worm specifically
targets Windows XP machines using this exploit.
http://www.microsoft.com/security/se...s/ms03-026.asp
* It exploits the WebDav vulnerability (described in Microsoft Security
Bulletin MS03-007) using TCP port 80. The worm specifically targets
machines running Microsoft IIS 5.0 using this exploit.
http://www.microsoft.com/security/se...s/ms03-007.asp

If you have not already applied the 'Security Update for Windows -
(823980)', YOUR COMPUTER CAN BE INFECTED BY SIMPLY ACCESSING THE
INTERNET.

NOTE: This virus (and it is STILL A VIRUS) attempts to "fix" the
W32.Blaster.Worm. It will try to download the 'Security Update for
Windows - (823980)' patch from Microsoft's Windows Update Web site,
install it, and then reboot the computer. The worm will also attempt to
remove W32.Blaster.Worm from your machine. It will then remain active on
your computer and will continuously check for other machines to "infect"
with its code which will result in increased network traffic.

Recommended Actions:
1. Verify that you have applied the 'Security Update for Windows -
(823980)'
* Open your Control Panels folder. Open the Add or Remove Programs
control panel.
* Look for "823980" in your list of installed patches. This may be
different depending on your Operating System.
Example: in Windows XP look for: Windows XP Hotfix - KB823980
* If you see this patch listed, you are protected from this worm
infecting your system. Close the control panel.

If you do not see the 823980 patch, close the control panel. You
should download and apply this patch IMMEDIATELY. Open Internet
Explorer.
From the Tools menu choose Windows Update. Install all the Critical
Updates. This should include the 823980 Security Update. After
applying the critical updates, re-start if needed. Continue to go
back to http://windowsupdate.microsoft.com/ until all critical
updates are applied.

2. Update your virus definitions (Version 8/18/2003, rev. 16, or
greater will detect this threat.)

3. Scan your hard disk.

Resources:
For information on updating your virus definitions, see the ICT Computer
Support web site at <http://ict.cas.psu.edu/Support/> and click
Anti-Virus Information.

The following web site has additional information on the
W32.Welchia.Worm :
http://www.symantec.com/avcenter/ven...chia.worm.html

Virus Name:
W32.Welchia.Worm

Also known as:
W32/Nachi.worm [McAfee]

Threat:
High

Platform:
Windows 2000, Windows XP

Method of Infection:
If a user has not applied the 'Security Update for Windows - (823980)'
patch and is using one of the above operating systems, the machine is
vulnerable. It can be infected simply by accessing the Internet to check
mail or view web pages.

What Will It Do?
Causes system instability. Creates unneeded network traffic.

What do I do if the computer is infected?
You must apply the 823980 Security Update from Microsoft first. See Step
1 above. If you are unable to get to the Windows Update site, the
College has placed the Security Update on one of their servers. A
Windows XP and Windows 2000 version if the patch are available here:

ftp://ftp.cas.psu.edu/Windows/Update...Update_823980/

You can download the needed update to your desktop. Double-click to open
it. Then follow its prompts to install the patch.

Once the patch is installed, Symantec Security Response has developed a
removal tool to clean infections of W32.Welchia.Worm. This is the
easiest way to remove this threat if you are infected.

Go to this page: http://www.symantec.com/avcenter/tools.list.html and
click the W32.Welchia.Worm link. Then PRINT this web page and follow the
instructions in the 'Obtaining and running the tool' section. If needed,
you may download the tool on a non-infected machine. Then transfer the
file via E-mail to the affected machine and follow the Symantec
instructions. Once you have the tool on the machine, you should
disconnect it from the network if possible while running the tool.

NOTE: Until you apply the security update, you REMAIN VULNERABLE!! Do
not assume that since the Symantec tool was run and the infection
cleaned that you are OK. You may become re-infected in a very short
time.

Thread: Warning About Another Possible Computer Virus

Thread Tools

Search Thread

Display

Threaded View

Similar Threads

Computer had a virus

WARNING! I had a "trojan virus" pop up this morning on my computer

Computer virus warning for Microsoft users

UGH!! First Computer VIRUS!!

I think my computer has a virus...

Bookmarks

Bookmarks

Posting Permissions