Symantec has warned of Welchia.B, a new variant of the worm which appeared last year and purported to fix Blaster infections but made use of the same vulnerabilities. This one shows similar sneaky Samaritan behaviour.
Welchia.B says the Symantec advisory, exploits, among others, the infamous DCOM RPC vulnerability, and uses TCP port 135 - the same as Blaster and the original Welchia.
Specifically targeting XP machines in this regard, it also aims for the WebDav hole on Microsoft IIS 5.0 machines (affecting Windows 2000 systems and possibly NT/XP systems, using TCP port 80) and the workstation buffer overrun vulnerability.
Its agenda
Welchia.B attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, and if the operation system version of the infected machine is Chinese, Korean, or English, it attempts to install it, and then restart the computer. It further attempts to remove the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms, the advisory states.
"The presence of the file %windir%\system32\drivers\svchost.exe is an indication of possible infection."
This threat is also known as W32/Nachi.worm.b by Network Associates. Its distribution is low, as are the damage already caused and the reported incidents. Removal and threat containment are also termed "easy".
Vulnerable Windows 2000 machines will experience system instability due to the RPC service crash.
The worm self-terminates at the date of 1 June 2004, or after running 180 days, whichever comes first.
Share
