W32.Welchia.Worm removes Blaster
9 posts
• Page 1 of 1
W32.Welchia.Worm removes Blaster
W32.Welchia.Worm is a worm that exploits multiple vulnerabilities:
exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.
exploits the WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit.
The worm attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.
The worm checks for active machines to infect by sending an ICMP echo, or PING, which will results in increased ICMP traffic.
The worm will also attempt to remove W32.Blaster.Worm.
Also Known As: W32/Welchia.worm10240 [AhnLab], W32/Nachi.worm [McAfee], WORM_MSBLAST.D [Trend], Lovsan.D [F-Secure]
Type: Worm
Infection Length: 10,240 bytes
Systems Affected: Windows 2000, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX
CVE References: CAN-2003-0109, CAN-2003-0352
Source: Symantec
#beer
Last edited by augie on Wed Sep 17, 2003 8:11 pm, edited 1 time in total.
- augie
- Community Director
- Posts: 7870
- Joined: Mon Aug 26, 2002 1:55 am
- Location: Laurentians, Quebec
Tell me about it. We got hit by it at work, and about 70% of our 326 machines that run xp were infected. So you can see what it would have done to the bandwidth. We had switchs freezing everywhere and Telstra disconnected us due to the amount of traffic we were producing. Took us a week to clear the problem up.
"Life is merely a fraction of a second. An infinitely small amount of time to fulfill our desires, our dreams, our passions." Paul Gauguin (1848 - 1904)
AEST
AEST
- Dalsim
- PROfessional Member
- Posts: 1119
- Joined: Sun Jun 15, 2003 7:07 am
- Location: Queensland, Australia
9 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 1 guest