Ok..... I've been digging..... through tech docs, RFC's and stack implementation docs for Windows and I have come up with the following info regarding RST packets and their use.

The quick and easy description is found on Microsoft's site here. While it actually is discussing unused ports and performance issues in the implementation it's puts the salient points right there.

In short it says that an RST should only be sent if:-

1. It is _clear_ that the incoming packet was not intended for the current connection
2. If the destination port is closed an RST should be sent if any packet _other_ than an RST is received, (if it reacted to an RST it would begin and endless loop).

It further states that an RST _alone_ is not acceptable when a it is received in response to a SYN packet - it _must_ acknowledge , (ACK), the original SYN.

So, the only time an RST packet with _no_ other flags set is acceptable only when it is clear that the incoming packet did not belong to the connection. Otherwise, in the case of a closed port it should acknowledge the inital connection.

That implies that a "bare" RST sent during an ongoing connection is "improper".... (Could we read "evasive").? The only thing it would be trying to do would be a quick close of the connection, (rather than go through the entire FIN, FIN/ACK..... closure of a connection that would conform to the RFC).

How could that be used to someone's advantage and therefore be considered evasive? Well, the first thing that springs to mind is a scan. Make the connection, see the response, kill the connection rather than leave it open..... (I'm guessing here), but I would guess that the half open scan came first, (send SYN, see reaction, move on with no further transmission), and that systems to detect the half open scan followed soon after it's inception. So the next generation of scanners needed to avoid the half open scan. If this is the case a SYN, listen for reaction, RST should close the connection and therefore may avoid the half open connection sensor. Even if the connection was improperly closed the the sensor would be looking for a SYN, SYN/ACK ..... nothing...... and it wouldn't get it, it may not understand that the RST is "illegal" but it would see further traffic thus not conclude a half open scan. I think that could be considered evasive......

That's my best guess at the moment seeing as there is so little definitive information out there regarding the "why's and wherefore's" of an Evasive RST.

This would explain the WebDAV alerts coupled with the Evasive RST's that appear to be being utilized by the Welchia.B too. We all know that Welchia.A was very active and flooded networks with connection attempts. I think B is doing the same but it is using a simple RST to close the connection rather than leave the connection open when it finds a pre-patched machine, (nice of the author..... )