A Worm that removes the Blaster Worm

SpinnerSpinner Birmingham, UK
edited September 2003 in Science & Tech
W32.Welchia worm, a new worm discovered on the internet today, helps exterminate the W32.Blaster worm. The new worm looks for signs of the Blaster worm and deletes it if it can and also attempts to download the DCOM RPC vulnerability patch from Microsoft's update site.

Cool stuff, though to be honest, I'd rather download the update myself.

W32.Welchia information:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

News Source - Nikush

Comments

  • NecropolisNecropolis Hawarden, Wales Icrontian
    edited August 2003
    Ok, I have seen everything now. A worm that gets rid of another and then fixes the problem. The is something wrong with that.

    I think this is the first worm that you wouldnt mind getting on your machine. But remember kids, in computers as in real life, prevention is better than the cure :thumbsup:
  • Omega65Omega65 Philadelphia, Pa
    edited August 2003
    :shakehead:
  • ThraxThrax 🐌 Austin, TX Icrontian
    edited August 2003
    ;D A friendly virus. I've now seen it all.
  • mmonninmmonnin Centreville, VA
    edited August 2003
    Now all it needs to do is spread itself and then delete itself after it had spread it another computer and was done fixing the host computer.
  • ThraxThrax 🐌 Austin, TX Icrontian
    edited August 2003
    Maybe this is the wave of the future.

    Start spreading viruses from AV companies that repair major problems. Let it propagate like wildfire.
  • dbergstdbergst Rockville, MD
    edited August 2003
    What's next? Perhaps a worm that automatically upgrades your OS. :rolleyes:
  • ShortyShorty Manchester, UK Icrontian
    edited August 2003
    dbergst said
    What's next? Perhaps a worm that automatically upgrades your OS. :rolleyes:

    Windows Automatic Updates :shakehead
  • botheredbothered Manchester UK
    edited August 2003
    How about a decipher worm that translates error messages into English?

    bothered.
  • FormFactorFormFactor At the core of forgotten
    edited August 2003
    Maybe M$ should follow suit with what the fella that wrote this worm did. Send out counter worms or something.

    Those M$ coders get paid extremely well. It should really be their jobs to think of such solutions.
  • JimboraeJimborae Newbury, Berks, UK New
    edited August 2003
    aka - W32/Nachi.worm, WORM_MSBLAST.D, Lovsan.D, W32.Welchia.Worm, Welchi (this is from Spohos)

    I think it's still a malicious worm cos it'll try & infect all other pc's on the network & get them to download the patch and thus basically try & bringdown the MS update site.

    Regards

    Jim
  • EMTEMT Seattle, WA Icrontian
    edited August 2003
    Haha, cool.

    Interesting point, Jimbrojae. Plus I'd bet it doesn't delete itself, which raises the question: how long will it waste your bandwidth trying to fix other people's computers?
  • SpinnerSpinner Birmingham, UK
    edited August 2003
    http://www.theinquirer.net/?article=11100

    "Welchia doesn't attempt to remove itself from an infected computer until the year 2004. This may be an attempt for the worm to spread in the wild, patch vulnerable computers, until most computers successfully update against the RPC vulnerability exploited by DCOM RPC based worms."
  • CyrixInsteadCyrixInstead Stoke-on-Trent, England Icrontian
    edited September 2003
    Christ! This morning I formatted and installed Windows (it was way overdue), and I just finished installing & updating Norton Antivirus/Internet Security, only to find I've already got this bloody virus!!

    It's being erased by the Symantec Worm removal tool as I type...

    ~Cyrix
  • QCHQCH Ancient Guru Chicago Area - USA Icrontian
    edited September 2003
    I installed a system and had it up on the network for less than 5 minutes as I was downloading the patch and BOOM... I got it that quick. Over two weeks have been wasted running around chasing the Blaster virus, SoBig, and the Welchia/Nachi worms..... Ugggg.... I love Microsoft. I will always have a job if this keeps up.
  • WuGgaRoOWuGgaRoO Not in the shower Icrontian
    edited September 2003
    its like using a nuclear weapon...to destroy a nuclear weapon...strange
  • SpinnerSpinner Birmingham, UK
    edited September 2003
    I had a first hand meeting with the blaster virus this week, it was the original variant, which had blasted its way onto my new flat mates rig. I questioned her about how she contracted it, she said... "I don't know, I have no idea?!", I then noticed she had no antivirus software installed. Cause and Effect!

    Some people!:rolleyes2
  • ThraxThrax 🐌 Austin, TX Icrontian
    edited September 2003
    I enjoy watching you people battle with viruses. ;D

    I've successfully kept two networks with 50 Win2k machines, and my 4 home machines with Win2k free of SoBig, Welchia, Nachi, and Blaster. :D
  • QCHQCH Ancient Guru Chicago Area - USA Icrontian
    edited September 2003
    Well... at my lab, over 2000 people are wondering around and another 100 or so come in everyday and just hookup to our networks. We are a open site and encourge an open network. We know that we have to do cleanups now and again, but these three all in less than a week....
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited September 2003
    Actually, Welchia is about as good as its job as the Code Blue "remover worm" for Code Red was. Since Microsoft DID move the windowsupdate site the address Welchia tried to use was not working as it released.

    So, it genned a lot of network noise. Both in spreading and in causing machines to repeatedly try to download what was not where they were told to look. Good ridance to Welchia.
Sign In or Register to comment.