HEADS UP - New Welchia worm based on RPC2

[Lv4]

Originally posted here by mnchur
this along with the new ssh vuln will make for an interesting week

ANOTHER new ssh vuln, or is this the one from a couple of weeks ago that got a lot of traffic on the lists last week?


oh and as far as this new varient goes, I haven't seen anything in my logs. Sometimes my company gets slammed by the new worms, other times we never hear a peep out of them. I'll still keep an eye on my logs and post here if we see anything.

[DjM]

Hi Hoss:

You mentioned that:

port 707 TCP is open on infected hosts

But, does the worm still attack port 135? If that is the case, I have noticed an increase which started yesterday afternoon.

Have you discovered anything else?


Cheers:

/edit I am also seeing an increase in NMAP activity on my firewall, but I doubt the two are related.

[ratman3]

I'm also seeing some increased traffic on port 135 here at 10:36 EST

[ol jeb]

i haven't noticed anything yet in my logs.

thx for the head up TH

[Lv4]

heh, actually going through my logs showed something I haven't seen in a while. An increase in Nimda scans over the past few days. I can't believe that virus is still active out there after all this time.

[ric-o]

Originally posted here by mnchur:
this along with the new ssh vuln will make for an interesting week

I dont see any *new* SSH vulnerability...I hope you are talking about the ones for a couple weeks ago.

Don't scare me like that, unless you know something we all don't...

[mnchur]

no i am talking about a brand new ssh vuln that is unposted as of yet....i heard of it on irc........it should be up in a few days/weeks?

[Lv4]

I have seen nothing in my mailing lists about a new ssh vulnerability/exploit that's out and a lot of these folks are the ones that write the 0-day exploits that other people use.

They are the ones that came up with the theoretical SSH vuln that was released a couple of weeks back that I was refering to.

Please post information about this new SSH exploit please. You don't have to post POC or anything like that, just give information about what it is that it's exploiting (not even in detail).

[thehorse13]

Here is an update: Others are starting to see the same thing that I have. This is post from NTBUGTRAQ:

FWIW, I have had several emails from people indicating they were seeing some sort of new variant of Nachi in the last couple of days. The only binaries I have received so far are MD5 matches with the original Nachi. The environment in this case believed it was fully patched with MS03-026, although MS03-039 was not applied. Their McAfee AV detected the worm there as Nachi. In this case the bandwidth effect was very significant.

Another report states they saw the effects of blaster as of Thursday last week. Cut and Paste wasn't working properly, etc... as if RPC was corrupted. There, the McAfee AV (latest updates) was not detecting anything. Here the bandwidth effect was very small, and infection rate was extremely slow.

Another report stated that as of 4:42pm EST yesterday they began seeing massive infections of machines which did not have MS03-039 applied. Infected hosts had port 707 open. Their AV is not detecting anything. This report was also posted to Bugtraq.

So far nobody has provided binaries which confirm there is a new worm. It is odd, however, that people who have not had Blaster since August should all of a sudden see it now (on the assumption that it is not
new.)

Please let me know if you have any binaries for what seems to be a new worm, or if you see anything that suggests one is running.

Cheers,
Russ - NTBugtraq Editor


OK, as of today, I can see that propigation is relatively slow. I have grabbed an infected machine and I hope to strip out the infected binaries for analysis. I post updates as I have more info. The one thing I can tell you is that one binary that is infected is DLLHOST.EXE found in the WINS directory. This file is consistant with W32.Welchia. Anyway, more to come...

[PuReExcTacy]

W32.Welchia.Worm is a worm that exploits multiple vulnerabilities, including:

The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. As coded in this worm, this exploit will impact Windows 2000 systems and may impact Windows NT/XP systems.

W32.Welchia.Worm does the following:

Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.
Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic.
Attempts to remove W32.Blaster.Worm.

Symantec Security Response has developed a removal tool to clean the infections of W32.Welchia.Worm.

You lucky this wasn't a destructive worm, that deleted your stuff.


--PuRe www.pureescape.net