W32.Welchia worm alert

The Blaster and Sobig.F worms continue to be a problem at K-State as well.

This worm attacks unpatched Microsoft Windows™ computers. No user interaction is required to be affected. It is spread by the network, not by e-mail.

This worm works very quickly. Vulnerable computers have been infected within 30 seconds of being connected to the network. If your computer is vulnerable to this worm you will not have time to download any updates or fixes before your computer is infected.

A free CD containing operating system fixes, a W32.Welchia removal tool, and the K-State provided antivirus software is available.

Most antivirus software, including the Symantec software provided by K-State, is not effective at preventing infection by this worm. (but install it anyway)

About this worm

Name(s):   W32.Welchia, W32/Nachi.worm, WORM_MSBLAST.D, Lovsan.D

Impacts:   All computer systems running the Microsoft Windows™ NT 4.0, 2000, XP (Home and Pro), and 2003 operating systems that have not been updated with the fix to this vulnerability. Microsoft Windows™ 95, 98, and ME should not be affected.

How it works:   Infects vulnerable Windows computers by exploiting a security problem in a service that runs in the background.

This worm exploits the previously announced "RPC DCOM" overflow vulnerability in Microsoft Windows™ NT 4.0, 2000, XP (Home and Pro), and 2003 operating systems.

This worm can also exploit another less publicized "WebDav" vulnerability in Microsoft Windows™ NT 4.0, 2000, and XP (Home and Pro) operating systems.

Both the "RPC DCOM" and "WebDav" vulnerabilities must be fixed to be safe from this worm.

Other information:   This worm installs a file server on infected computers. This file server may be used by a remote attacker to access and download information stored on your computer without your knowledge.

What you can do

1. Make sure your Windows computer is patched against this vulnerability. Apply all critical fixes from Microsoft's Windows Update.

   Note that Windows Update requires the Internet Explorer browser, and will not work with other web browsers.

2. If you don't have anti-virus software on your computer, go to K-State's anti-virus software webpage. Download and install the current anti-virus program. Even though the anti-virus program won't prevent infection, it will alert you that an infection has occured.

If your computer is infected

1. Download and install the fix for the "RPC DCOM" vulnerability:

   Windows 2000

   Windows XP (Home and Pro)

   Windows NT 4.0

   If the official Microsoft site is unreachable, you may download the fixes from a local mirror (K-State network only):

   Windows 2000

   Windows XP

   Windows NT 4.0

2. Download and install the fix for the "WebDav" vulnerability:

   Windows 2000

   Windows XP (Home and Pro)

   Windows NT 4.0

   If the official Microsoft site is unreachable, you may download the fixes from a local mirror (K-State network only):

   Windows 2000

   Windows XP

   Windows NT 4.0

3. Download and run the W32.Welchia removal tool from Symantec (local copy). Instructions for use of this tool are available at the Symantec web site.
   
4. Free CDs: Free CDs containing operating system fixes, W32.Blaster and W32.Welchia removal tools, and the K-State provided antivirus software are available from the iTAC HelpDesk in Hale 313, the Student Union computer store, Residence Hall front desks, and the CNS Operations dispatch window (Hale 14). An ISO image of this CD is available here. If you have questions about this CD contact the iTAC HelpDesk at 532-7722.

What K-State is doing

Distributed systems/networks:   Network administrators and departmental resource people across campus are updating and disinfecting servers and PCs on their networks.

More about W32.Welchia

• from Symantec AntiVirus Research Center
• from Trend Micro
• Microsoft Security Bulletin MS03-007
• Microsoft Security Bulletin MS03-026