HEADS UP - New Welchia worm based on RPC2 - Page 2
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: HEADS UP - New Welchia worm based on RPC2

  1. #11
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    Originally posted here by mnchur
    this along with the new ssh vuln will make for an interesting week
    ANOTHER new ssh vuln, or is this the one from a couple of weeks ago that got a lot of traffic on the lists last week?


    oh and as far as this new varient goes, I haven't seen anything in my logs. Sometimes my company gets slammed by the new worms, other times we never hear a peep out of them. I'll still keep an eye on my logs and post here if we see anything.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  2. #12
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Hi Hoss:

    You mentioned that:
    port 707 TCP is open on infected hosts
    But, does the worm still attack port 135? If that is the case, I have noticed an increase which started yesterday afternoon.

    Have you discovered anything else?


    Cheers:

    /edit I am also seeing an increase in NMAP activity on my firewall, but I doubt the two are related.
    DjM

  3. #13
    Member
    Join Date
    Dec 2002
    Posts
    86
    I'm also seeing some increased traffic on port 135 here at 10:36 EST

  4. #14
    Senior Member
    Join Date
    Jul 2002
    Posts
    106
    i haven't noticed anything yet in my logs.

    thx for the head up TH
    just making some minor adjustments to your system....

  5. #15
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    heh, actually going through my logs showed something I haven't seen in a while. An increase in Nimda scans over the past few days. I can't believe that virus is still active out there after all this time.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  6. #16
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487

    Question

    Originally posted here by mnchur:
    this along with the new ssh vuln will make for an interesting week
    I dont see any *new* SSH vulnerability...I hope you are talking about the ones for a couple weeks ago.

    Don't scare me like that, unless you know something we all don't...

  7. #17
    Senior Member
    Join Date
    Sep 2003
    Posts
    101
    no i am talking about a brand new ssh vuln that is unposted as of yet....i heard of it on irc........it should be up in a few days/weeks?
    chown -r us ./bases

  8. #18
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    I have seen nothing in my mailing lists about a new ssh vulnerability/exploit that's out and a lot of these folks are the ones that write the 0-day exploits that other people use.

    They are the ones that came up with the theoretical SSH vuln that was released a couple of weeks back that I was refering to.

    Please post information about this new SSH exploit please. You don't have to post POC or anything like that, just give information about what it is that it's exploiting (not even in detail).

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  9. #19
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Here is an update: Others are starting to see the same thing that I have. This is post from NTBUGTRAQ:

    FWIW, I have had several emails from people indicating they were seeing some sort of new variant of Nachi in the last couple of days. The only binaries I have received so far are MD5 matches with the original Nachi. The environment in this case believed it was fully patched with MS03-026, although MS03-039 was not applied. Their McAfee AV detected the worm there as Nachi. In this case the bandwidth effect was very significant.

    Another report states they saw the effects of blaster as of Thursday last week. Cut and Paste wasn't working properly, etc... as if RPC was corrupted. There, the McAfee AV (latest updates) was not detecting anything. Here the bandwidth effect was very small, and infection rate was extremely slow.

    Another report stated that as of 4:42pm EST yesterday they began seeing massive infections of machines which did not have MS03-039 applied. Infected hosts had port 707 open. Their AV is not detecting anything. This report was also posted to Bugtraq.

    So far nobody has provided binaries which confirm there is a new worm. It is odd, however, that people who have not had Blaster since August should all of a sudden see it now (on the assumption that it is not
    new.)

    Please let me know if you have any binaries for what seems to be a new worm, or if you see anything that suggests one is running.

    Cheers,
    Russ - NTBugtraq Editor


    OK, as of today, I can see that propigation is relatively slow. I have grabbed an infected machine and I hope to strip out the infected binaries for analysis. I post updates as I have more info. The one thing I can tell you is that one binary that is infected is DLLHOST.EXE found in the WINS directory. This file is consistant with W32.Welchia. Anyway, more to come...
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #20
    Senior Member
    Join Date
    Mar 2003
    Posts
    452
    W32.Welchia.Worm is a worm that exploits multiple vulnerabilities, including:

    The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.
    The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. As coded in this worm, this exploit will impact Windows 2000 systems and may impact Windows NT/XP systems.

    W32.Welchia.Worm does the following:

    Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.
    Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic.
    Attempts to remove W32.Blaster.Worm.

    Symantec Security Response has developed a removal tool to clean the infections of W32.Welchia.Worm.

    You lucky this wasn't a destructive worm, that deleted your stuff.


    --PuRe www.pureescape.net
    Like this post? Visit PuRe\'s Information Technology Community. We\'ve also got some kick ass Technology Forums. Shop for books and dvds on LiveWebShop.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides