||||
Symantec.com > Security Response > Threats and Risks > W32.Welchia.Worm
PRINT THIS PAGE

W32.Welchia.Worm

Risk Level 2: Low

Download Removal Tool | Printer Friendly Page

Discovered: August 18, 2003
Updated: February 13, 2007 12:05:08 PM
Also Known As: W32/Welchia.worm10240 [AhnLab], W32/Nachi.worm [McAfee], WORM_MSBLAST.D [Trend], Lovsan.D [F-Secure], W32/Nachi-A [Sophos], Win32.Nachi.A [CA], Worm.Win32.Welchia [Kaspersky]
Type: Worm
Systems Affected: Microsoft IIS, Windows 2000, Windows XP
CVE References: CAN-2003-0109 CAN-2003-0352


As of February 26, 2004, due to a decreased rate of submissions, Symantec Security Response has downgraded this threat to a Category 2 from a Category 3.

W32.Welchia.Worm is a worm that exploits multiple vulnerabilities, including:
  • The DCOM RPC vulnerability (first described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit. Users are recommended to patch this vulnerability by applying Microsoft Security Bulletin MS03-039.
  • The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. As coded in this worm, this exploit will impact Windows 2000 systems and may impact Windows NT/XP systems.


W32.Welchia.Worm does the following:
  • Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then restart the computer
  • Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic
  • Attempts to remove W32.Blaster.Worm


Security Response has provided some information to aid network administrators in ongoing efforts to track down the machines that W32.Welchia.Worm has infected on their respective network. Read the document, "Detecting traffic due to RPC worms," for additional information.

Protection

  • Initial Rapid Release version August 18, 2003
  • Latest Rapid Release version August 25, 2009 revision 024
  • Initial Daily Certified version August 18, 2003
  • Latest Daily Certified version August 26, 2009 revision 004
  • Initial Weekly Certified release date August 18, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: High
  • Threat Containment: Moderate
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: Medium

Writeup By: Frederic Perriot
Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS