 |
 |
 |
|
 |
 |
 |
|
 |
|
|
|||||||||
|
W32.Welchia.WormBrief Description | Characteristics | Recovery | Protection | Further InformationBrief Description: -------------------- This is an alert regarding W32.Welchia.Worm, a worm that has spread worldwide and is classified by Symantec as a level 4 out 5 threat. This worm affects machines running Windows 2000 or XP. The worm spreads by exploiting two Windows vulnerabilities (DCOM RPC and WebDav - details below) and then scanning subnets for other vulnerable machines. Symantec definitions dated 8/18/2003 will detect W32.Welchia.Worm. There have been large numbers of the W32.Welchia.Worm appearing on campus. Characteristics: ------------------ NOTE: Irrespective of anti-virus detection, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine will send packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine. The virus spreads by exploiting the two Windows vulnerabilities listed below. -- The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp -- The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp When the worm spreads to a vulnerable machine, it will take the following actions (summarized and in full detail): Summary of Welchia's Actions: 1. Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer. 2. Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic. 3. Attempts to remove W32.Blaster.Worm. Full Details of Welchia's Actions: 1. Copies itself to: %System%\Wins\Dllhost.exe 2. Makes a copy of %System%\Dllcache\Tftpd.exe as %System%\Wins\svchost.exe. NOTE: Tftpd is a legitimate program, which is not malicious, and therefore Symantec antivirus products will not detect it. 3. Adds the subkeys: RpcPatch and RpcTftpd to the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services 4. Creates the following services: Service Name: RpcTftpd Service Display Name: Network Connections Sharing Service Binary: %System%\wins\svchost.exe This service will be set to start manually. Service Name: RpcPatch Service Display Name: WINS Client Service Binary: %System%\wins\dllhost.exe This service will be set to start automatically. 5. Ends the process, Msblast, and deletes the %System%\msblast.exe file, which W32.Blaster.Worm drops. 6. Selects the victim IP address in two different ways: The worm uses either A.B.0.0 from the infected machine's IP of A.B.C.D and counts up, or it will construct a random IP address based on some hard-coded addresses. After selecting the start address, the worm counts up through a range of Class C-sized networks; for example, if the worm starts at A.B.0.0, it will count up to at least A.B.255.255. 7. Sends an ICMP echo request, or PING, to check whether the constructed IP address is an active machine on the network. 8. Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability. 9. Creates a remote shell on the vulnerable host that will reconnect to the attacking computer on a random TCP port between 666 and 765 to receive instructions (most commonly port 707). 10. Launches the TFTP server on the attacking machine and instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe. 11. Checks the computer's operating system version, Service Pack number, and System Locale. It also attempts to connect to Microsoft's Windows Update and download the appropriate DCOM RPC vulnerability patch. 12. Once the update has been downloaded and executed, the worm will restart the computer so that the patch is installed. 13. Checks the computer's system date. If the year is 2004, the worm will disable and remove itself. Recovery: ----------- Symantec has developed a removal tool for W32.Welchia.Worm, but we do not recommend using it because W32.Welchia.Worm compromises the machine on a system-level by exploiting two Windows vulnerabilities. Due to the system compromises, we recommend formatting the machine and restoring documents from backup. Please be advised this is the only way you can be certain that no other backdoors or trojans were added to the machine after it was compromised. Protection: ------------ Symantec definitions dated 8/18/2003 will detect W32.Welchia.Worm. Instructions on how to update NAV definition files are located at: http://www.upenn.edu/computing/help/doc/virus/nav/winnavupdate.html NOTE: Irrespective of anti-virus detection, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine will send packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine. Please also make sure the patches found on the following two sites are applied. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp Further information: ----------------------- Further information on W32.Welchia.Worm can be found at: http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.html http://www.f-secure.com/v-descs/welchi.shtml http://vil.nai.com/vil/content/v_100559.htm http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.D http://www.sophos.com/virusinfo/analyses/w32nachia.html |
|
 |
|
|
 |
|
| Information Systems and ComputingUniversity of PennsylvaniaComments & Questions |
 |
|