North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Welchia Virus - it is real and hard to detect.......
I hope the nanog mail list is an OK place to warn of this.......... As part of my clean up for clients who have had Blaster, I came across a variant, sometimes called Blaster D. Its other name is welchia. It seems to do the following: Gets the Microsoft patch for regular blaster. Installs a file called dllhost.exe in the C:\Windows\System32\Wins directory. Btw there is a smaller dllhost.exe file in one of the other system directories. http://www.pchell.com/virus/welchia.shtml It also copies the tftp server from one of the other windows locations. They are both started by a startup service. When connection is made to the internet, dllhost and the tftp server start their dirty work. The tftp server appears to be the mechanism by which the virus propagates. The dllhost sends out a firestorm of requests (on various ports) to try to find other victims. This afternoon I patched a system and installed a personal firewall - in the space of about 20 minutes there were 207 attacks some using ICMP class 8, others simply using uDP against ports 135, 137 and 139. This was all on a computer that had the Microsoft patches for Blaster applied. I think it gets in prior to the blaster patch application and then is not detected by the blaster removal and Microsoft fix. Rather than go into all the gory details, I suggest that interested parties go hunting for it at their usual anti-v places. Chris Bird