Symantec raises W32.Welchia worm alert

The increasing network disruption caused by the W32.Welchia.worm has prompted Symantec to upgrade its threat level from 2 to 4.

  • E-Mail
By  Zoe Moleshead Published  August 19, 2003

The increasing network disruption caused by the W32.Welchia.worm has prompted Symantec to upgrade its threat level from 2 to 4. According to the security vendor, the worm is proving particularly problematic in large enterprises where it is flooding ICMP.

This flooding is leading to network problems and, as a result, some enterprises have been unable to access critical network resources, reports Symantec.

“Despite its original intent, the W32.Welchia.Worm is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm,” explains Kevin Isaac, regional director for Middle East & Africa at Symantec.

“The worm is swamping network systems with traffic and causing denial-of-service to critical servers within organisations,” he continues.

The W32.Blaster worm provides the W32.Welchia.worm with a way into systems. Welchia, which erases msblast.exe and downloads the DCOM RPC patch from Microsoft’s Windows Update web site, targets users already infected by Blaster and once the patch is installed, the system is rebooted.

When Welchia checks for active machines to infect it sends ICMP echoes or pings, which results in the ICMP flooding.

“Although corporations may have perimeter defences in place, in response to the W32.Blaster.Worm, internal infections are still running high,” says Isaac

Symantec advises enterprises to make sure that patches are in place on any systems vulnerable to either the Microsoft Windows DCOM RPC Interface buffer overrun vulnerability or Microsoft Windows WebDav buffer overflow vulnerability. A removal tool for the Welchia worm is also available at Symantec’s web site.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code