mike breck
08-20-2003, 03:59 AM
Oh...very clever. It removes MSBlast, downloads the MS Patch, and then exploits the vulnerability(s) itself.
"Virus Warning! W32.Welchia.Worm - Category 4 Virus
This message is intended for customers who have not already protected themselves from the recent W32.Blaster.Worm.
Symantec has upgraded the W32.Welchia.Worm from a Level 2 to a Level 4 threat [On a scale of 1-5, 5 being highest].
The W32.Welchia.Worm targets customers infected with the W32.Blaster.Worm. Once on a system, W32.Welchia.Worm deletes msblast.exe (the W32.Blaster.Worm virus), attempts to download the patch from Microsoft's Windows Update Web site, installs the patch, and then reboots the computer. After the computer restarts the virus propagates through TCP port 135 on Windows XP and Windows 2000 machines that have not patched the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability."
More info:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
"Virus Warning! W32.Welchia.Worm - Category 4 Virus
This message is intended for customers who have not already protected themselves from the recent W32.Blaster.Worm.
Symantec has upgraded the W32.Welchia.Worm from a Level 2 to a Level 4 threat [On a scale of 1-5, 5 being highest].
The W32.Welchia.Worm targets customers infected with the W32.Blaster.Worm. Once on a system, W32.Welchia.Worm deletes msblast.exe (the W32.Blaster.Worm virus), attempts to download the patch from Microsoft's Windows Update Web site, installs the patch, and then reboots the computer. After the computer restarts the virus propagates through TCP port 135 on Windows XP and Windows 2000 machines that have not patched the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability."
More info:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html