Good lord, I just got another security alert. Looks like a mutated version of the Lovsan/Blaster:
WARNING: W32.Welchia.Worm Threat level: Category 4, Severe (scale of 1-5)
Worm Virus Definitions: August 18, 2003 or later (via LiveUpdate)
What is W32.Welchia.Worm and how does it affect me? W32.Welchia.Worm is a worm that exploits multiple vulnerabilities:
- Exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.
- Exploits the WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit.
The worm attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.
The worm checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic.
To read more about the W32.Welchia.Worm, please click here.
What action can I take from here? Symantec Security Response posted virus definitions to protect against this threat on August 18, 2003 (via LiveUpdate). All users of Norton AntiVirus who do not have up-to-date virus protection should immediately run LiveUpdate for protection from W32.Welchia.Worm.
Virus definitions are available via the LiveUpdate feature in the Norton AntiVirus product or the Symantec Security Response Web site.
Symantec Security Response encourages all Norton AntiVirus users to regularly download virus definitions in order to protect against future threats. For more information on how to run LiveUpdate, please click here.
UPGRADE CUSTOMERS - If you have an older version of Norton AntiVirus and would like to upgrade to Norton AntiVirus 2003, please click here.
NEW CUSTOMERS - If you would like to purchase Norton AntiVirus 2003, please click here.