New Welchia behavior?

Rita Seplowitz Saltz rita at Princeton.EDU
Tue Mar 30 20:02:06 GMT 2004


Suddenly here at Princeton.EDU, we're seeing a lot more Welchia-like 
infections, primarily among the student-owned machines.

Our tech clinic says tool/cass4 files (seen in conjunction with 
manifest.mf file, apparently) are being tagged as a virus and deleted 
on scans.  They also, in the last two days, have been seeing a new file 
NOT tagged as viral showing up on systems where no other exploits or 
viruses were found:  navpaw.exe.

Most worrisome of all is the appearance of a Welchia.b type bug on 
systems that have been newly imaged, patched and firewalled.  Our 
clinic expert says, "This seems to point to welchia.b exploiting an 
unpatched RPC component, or exploiting some service that we don't know 
it exploits."

Anyone else seeing escalated Welchia and/or have insight into these new 
phenomena?

Thanks,

Rita Saltz
Senior Policy Advisor
Office of Information Technology (OIT)
Princeton University

rita at princeton.edu



More information about the unisog mailing list