The "welch" Virus

DY357LX

<div class="IPBDescription">Just Removed It, Here's Some Info</div> We had this virus on a comp in work and i thought i'd post
the log file so you lot can have a look.
If you're having problems and the files in the log appear in your
task manager then you may want to go get the patch/fix.

<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->The service "RpcPatch" is viral. It is deleted.

The service "RpcTftpd" is viral. It is deleted.

The tool has deleted the viral file "C:\WINDOWS\system32\wins\DLLHOST.EXE".

The file "C:\WINDOWS\System32\wins\svchost.exe" is deleted.

W32.Welchia.Worm has been successfully removed
from your computer!

Here is the report:

The total number of the scanned files: 91053
The number of deleted files: 2
The number of repaired files: 0
The number of viral processes terminated: 0
The number of viral services deleted: 2
The number of registry entries fixed: 0
<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->


Apparently the virus is on some sort of timer so it may not have
activated itself on your machine yet.

MonsieurEvil

Welchia is a cousin of the Blaster virus that was big a month ago, and uses the same vulnerability that you should have long since patched:

Info and patch - <a href='http://www.microsoft.com/security/incident/blast.asp' target='_blank'>http://www.microsoft.com/security/incident/blast.asp</a>
Removal tool - <a href='http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html' target='_blank'>http://securityresponse.symantec.com/avcen...moval.tool.html</a>

You is not you, DY357LX. you is the reader.

RyoOhki

It's an evil, evil thing welch. Our sharehouses' router was renderd useless by this damn virus constantly uploading to some unknown location. Our pings were around 2000+ <!--emo&:p--><img src='http://www.unknownworlds.com/forums/html/emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif'><!--endemo--> Thankfully we patched up and we're fine now, but if you have this thing, get rid of it now.

ThoraX

wait, so is svchost.exe viral?

everytime i shutdown an error window pops up several times saying "svchost.exe failed to initialize because the system is shutting down"... but when i run the FixWelsh thingy it cant find hte worm... <!--emo&::nerdy::--><img src='http://www.unknownworlds.com/forums/html/emoticons/nerd.gif' border='0' style='vertical-align:middle' alt='nerd.gif'><!--endemo-->

Zel

it uses svchost, but dont delete that particular file, its part of windows.

patch your XP so that the virus gets deavticated then run a virusscan over the whole drive and itll catch it. the fixwelch file is just a one-use virusscanner =/

DY357LX

<!--QuoteBegin--MonsieurEvil+Sep 10 2003, 03:04 PM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (MonsieurEvil @ Sep 10 2003, 03:04 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> Welchia is a cousin of the Blaster virus that was big a month ago, and uses the same vulnerability that you should have long since patched:

Info and patch - <a href='http://www.microsoft.com/security/incident/blast.asp' target='_blank'>http://www.microsoft.com/security/incident/blast.asp</a>
Removal tool - <a href='http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html' target='_blank'>http://securityresponse.symantec.com/avcen...moval.tool.html</a>

You is not you, DY357LX. you is the reader. <!--QuoteEnd--> </td></tr></table><span class='postcolor'> <!--QuoteEEnd-->
The odd thing is, I patched the machine I use in work
as soon as the Blaster patch was released. Bit weird that.
Ahh well never mind, no harm done I suppose.

clamatius

I think MonsE may be mistaken - it's another RPC vulnerability but it's not the same one as Blaster. The patch for this problem only came out today.

<a href='http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-039.asp' target='_blank'>Microsoft Security Bulletin</a>

<a href='http://slashdot.org/article.pl?sid=03/09/10/200232&mode=nested&tid=109&tid=126&tid=172&tid=187' target='_blank'>Slashdot story</a>

MonsieurEvil

Hmm, not sure if you're right.

Welchia came out August 18th ( <a href='http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html' target='_blank'>http://securityresponse.symantec.com/avcen...lchia.worm.html</a> )

It attacks the same RPC vulnerabilty, according to Syamntec and MS:

<a href='http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp' target='_blank'>http://www.microsoft.com/technet/treeview/...in/MS03-026.asp</a>

There IS a new RPC vulnerability patch released today as well though, you are correct. It augments the original RPC patch from July, as there appears to be a remaining vulnerability. Safe bet: install both <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif'><!--endemo--> .

UnderDOG

oog i had this too, ty for the info

clamatius

I stand corrected - I was misinformed by one of our IT guys that Welchia was using the vulnerability fixed in yesterday's patch and I hadn't double-checked myself. That's what I get for doubting MonsE <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif'><!--endemo-->

Welchia spreads really fast if it gets loose on a network, so even if your Windows boxes are behind a firewall make sure you patch them up.