[unisog] New Welchia behavior?

Gary Flynn flynngn at jmu.edu
Fri Apr 2 15:06:53 GMT 2004

Rita Seplowitz Saltz wrote:

> Suddenly here at Princeton.EDU, we're seeing a lot more Welchia-like 
> infections, primarily among the student-owned machines.
> Our tech clinic says tool/cass4 files (seen in conjunction with 
> manifest.mf file, apparently) are being tagged as a virus and deleted on 
> scans.  They also, in the last two days, have been seeing a new file NOT 
> tagged as viral showing up on systems where no other exploits or viruses 
> were found:  navpaw.exe.
> Most worrisome of all is the appearance of a Welchia.b type bug on 
> systems that have been newly imaged, patched and firewalled.  Our clinic 
> expert says, "This seems to point to welchia.b exploiting an unpatched 
> RPC component, or exploiting some service that we don't know it exploits."
> Anyone else seeing escalated Welchia and/or have insight into these new 
> phenomena?

We saw port 135 scans pick up a few weeks ago. Activity
was tracked to Welchi.B and agobot variants. No known case
of infection has occured with a fully patched machine.
No known case of 135 scans were caused by something not
detected by up to date anti-virus definitions.

There are a lot of worms exploiting defects of on-by-default
Windows services (DCOM, RPC, Workstation, Messenger(?))
and they seem to be mutating rapidly.

Machines firewalled with the XP firewall or 2k IPSEC
have a 10 second window of vulnerability at boot time.
And, of course, if exceptions to the firewall rules
are made for file sharing, worms that exploit that
vector will still have a way in making Administrator
passwords protecting the C$ shares important.

Similarly, some worms that exploit DCOM, etc. spread
through Kazaa and MIRC as well as windows shares so
operating practices may also be a factor.

Machines that haven't been firewalled and that are
infected with MyDoom and similar worms will likely
be compromised through the backdoors those worms
leave open.

Other possible vectors may be out of data IM software
or multimedia plugins or exploits of IE defects for
which no patch exists.

If you have something that is infecting a fully imaged,
patched, and firewalled machine without operator
intervention, samples of the code should be sent to AV
vendors and Microsoft ASAP. I'd be interested in getting
a copy myself, too. :)

If you can post details to this list, it would probably
be helpful to all of us. Things like filename and size,
strings output, whether it opens a port, associated
startup mechanism (registry, start folder, etc.), observed
behavior, what AV software and version does not detect
it, etc.

Gary Flynn
Security Engineer - Technical Services
James Madison University

More information about the unisog mailing list