CUPERTINO, Calif. - August 19, 2003 - Symantec, the world leader in Internet security, today announced that it has upgraded the W32.Welchia.Worm from a Level 2 to a Level 4 threat. Symantec is receiving reports of severe disruptions on the internal networks of large enterprises caused by ICMP flooding related to the propagation of the W32.Welchia.worm. In some cases enterprise users have been unable to access critical network resources.
“Despite its original intent, the W32.Welchia.Worm is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm,” said Vincent Weafer, senior director, Symantec Security Response. “The worm is swamping network systems with traffic and causing denial-of-service to critical servers within organizations.”
W32.Welchia.Worm targets customers infected with the W32.Blaster.Worm. Once on a system, W32.Welchia.Worm deletes msblast.exe, attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, installs the patch, and then reboots the computer. The worm checks for active machines to infect by sending an ICMP echo, or PING , which may result in significantly increased ICMP traffic. ICMP is a TCP/IP protocol used to send Internet messages.
“Although corporations may have perimeter defenses in place, in response to the W32.Blaster.Worm, internal infections are still running high,” said Weafer. “Deployment of the security patch in large, geographically dispersed environments is expected to take weeks to months to complete. Both the W32.Blaster.Worm and W32.Welchia.Worm are clear examples of why comprehensive security measures need to be deployed at various tiers of the network including policy compliance for remote access users.”
W32.Welchia.Worm propagates through TCP port 135 on Windows XP and Windows 2000 machines that have not patched the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability. Additionally, the worm propagates through TCP port 80 on Microsoft IIS 5.0 systems that have not patched the Microsoft Windows WebDav (ntdll.dll) Buffer Overflow Vulnerability.
Symantec DeepSight Threat Management System is currently reporting anomalous levels in the number of source IPs targeting both TCP Port 80 and the Microsoft Windows Web Dav Buffer Overflow Vulnerability. TCP Port 135 continues to be a prominently targeted port due to the activities of both W32.Blaster.Worm and W32.Welchia.Worm.
Administrators are strongly urged to ensure that patches have been applied to systems vulnerable to either the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability and Microsoft Windows WebDav Buffer Overflow Vulnerability.
W32.Welchia.Worm Removal Tool
Symantec Security Response has posted a removal tool for W32.Welchia.Worm. The removal tool is available from: http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html.
Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at www.symantec.com.
NOTE TO EDITORS: : If you would like additional information on Symantec Corporation and its products, please view the Symantec Press Center at http://www.symantec.com/PressCenter/ on Symantec's Web site. All prices noted are in US dollars and are valid only in the United States.
Symantec, the Symantec logo, VERITAS, and the VERITAS logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and certain other countries. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.