CAN20030820b
Welchia Worm Spreading Across Internet
Worm Appears To Have Good Intentions But
Causes Problems To Infected Machines, Targets Two Known Microsoft Flaws
Dates & Revisions
- Original CAN date: August 20, 2003
- Latest revision: August 20, 2003
Systems Affected
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0 Terminal Services Edition
- Microsoft Windows 2000
- Microsoft Windows XP
Problem Overview
Another worm has been discovered in the wild
that takes advantage of the Microsoft Windows DCOM RPC vulnerability discussed
in CAN20030802a. It is important to note that
this worm does not need to travel via e-mail.
All that is necessary for your computer to become infected is to have your
unpatched computer connected to the Internet without appropriate firewall
protection while an infected computer attempts to probe your system for the DCOM
RPC flaw.
In addition to spreading via the Microsoft
DCOM RPC flaw, this worm also takes advantage of another flaw in
Microsoft's Internet Information Services (IIS) v5.0 component, which ships with
Windows 2000 and Windows XP and is available for Windows NT. The IIS flaw (known
as the WebDav flaw) was previously reported by Microsoft in March 2003 and
patches for this flaw have been available since that time. IIS is generally only
installed on Windows systems which are used for file server purposes, but in the
case of Windows 2000 Server systems, it is installed by default.
The Welchia worm (like the Blaster worm
discussed in CAN20030812a) infects computers which
have not yet been patched with the Microsoft DCOM RPC patch. The apparently good
intentions of this worm (which tries to patch the flaw and remove the Blaster
virus) cause many of the same problems as the original Blaster worm: system
instability and consumption of available Internet bandwidth (causing
denial-of-service conditions). This worm also compromises system security by
installing a TFTP server on all infected machines, potentially allowing a hacker
to have access to files on your computer.
Computers which have previously been
patched with the DCOM RPC patch (and the IIS patch, if appropriate) from
Microsoft will not be affected by this worm. If you have not already patched
your system, you are strongly urged to IMMEDIATELY install the patch(es) and
block certain ports on your firewall as described in the links below.
Problem Details
For detailed technical descriptions of the problem, please
review the following links:
Please note that the organizations
controlling the content of the web sites referenced by these links may
periodically update the information on their sites as new details about the
severity of the threat become known.
What Should I Do?
You should immediately:
- review the bulletins listed above and
- verify that your system is affected
by the threat, and
- apply the Microsoft patches
which correct these vulnerabilities to ALL affected systems within your home
or office, and]
- update your anti-virus software with
the latest available signature files, and
- block the specific ports on your Internet connection by using a
firewall or other security mechanism to reduce your chances of encountering
repeated probes of your system by infected machines on the Internet.
What If I Am Unable To Fix The Problem?
If you are unable to correct these problems yourself or
are unsure how to proceed, contact Logical
Operators by clicking here and arrange to have one of our service
technicians check your system and apply the corrections for you (standard
service fees will apply). In addition to correcting the problem(s) listed in
this CAN, our technicians can also test your system for thousands of other known
threats which may be present on your system, make valuable recommendations on
securing your system from future threats, and perform numerous
other computing services.
|
