Symantec Security Response Upgrades W32.Welchia.Worm to Level 4 Threat; Once Inside Corporate Perimeters, W32.Welchia.Worm Propagates at Rapid Pace.Business Editors/High-Tech Writers CUPERTINO, Calif.--(BUSINESS WIRE)--Aug. 19, 2003 Symantec, the world leader in Internet security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. , today announced that it has upgraded the W32.Welchia.Worm from a Level 2 to a Level 4 threat. Symantec is receiving reports of severe disruptions on the internal networks of large enterprises caused by ICMP (Internet Control Message Protocol) A TCP/IP protocol used to send error and control messages. For example, a router uses ICMP to notify the sender that its destination node is not available. flooding related to the propagation of the W32.Welchia.worm. In some cases enterprise users have been unable to access critical network resources. "Despite its original intent, the W32.Welchia.Worm is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm," said Vincent Weafer, senior director, Symantec Security Response. "The worm is swamping network systems with traffic and causing denial-of-service to critical servers within organizations." W32.Welchia.Worm targets customers infected with the W32.Blaster.Worm. Once on a system, W32.Welchia.Worm deletes msblast.exe, attempts to download the DCOM (Distributed Component Object Model) Formerly Network OLE, it is Microsoft's technology for distributed objects. DCOM is based on COM, Microsoft's component software architecture, which defines the object interfaces. RPC (Remote Procedure Call) A programming interface that allows one program to use the services of another program in a remote machine. The calling program sends a message and data to the remote program, which is executed, and results are passed back to the calling patch from Microsoft's Windows Update An updating service on Microsoft's Web site that enables users to obtain bug fixes and new features for their version of Windows. Windows Update components analyze your PC's configuration and display a list of appropriate downloads for your individual system. Web site, installs the patch, and then reboots the computer. The worm checks for active machines to infect by sending an ICMP echo, or PING , which may result in significantly increased ICMP traffic. ICMP is a TCP/IP TCP/IP in full Transmission Control Protocol/Internet Protocol Standard Internet communications protocols that allow digital computers to communicate over long distances. protocol used to send Internet messages. "Although corporations may have perimeter defenses in place, in response to the W32.Blaster.Worm, internal infections are still running high," said Weafer. "Deployment of the security patch A fix to a program that eliminates a vulnerability exploited by malicious hackers. See vulnerability and patch. in large, geographically dispersed environments is expected to take weeks to months to complete. Both the W32.Blaster.Worm and W32.Welchia.Worm are clear examples of why comprehensive security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security need to be deployed at various tiers of the network including policy compliance for remote access users." W32.Welchia.Worm propagates through TCP (1) (Transmission Control Protocol) The reliable transport protocol within the TCP/IP protocol suite. TCP ensures that all data arrive accurately and 100% intact at the other end. port 135 on Windows XP The previous client version of Windows. XP was a major upgrade to the client version of Windows 2000 with numerous changes to the user interface. XP improved support for gaming, digital photography, instant messaging, wireless networking and sharing connections to the Internet. and Windows 2000 machines that have not patched the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability. Additionally, the worm propagates through TCP port 80 on Microsoft IIS 5.0 systems that have not patched the Microsoft Windows WebDav (ntdll.dll) Buffer Overflow Vulnerability. Symantec DeepSight Threat Management System is currently reporting anomalous levels in the number of source IPs targeting both TCP Port 80 and the Microsoft Windows Web Dav Buffer Overflow Vulnerability. TCP Port 135 continues to be a prominently targeted port due to the activities of both W32.Blaster.Worm and W32.Welchia.Worm. Administrators are strongly urged to ensure that patches have been applied to systems vulnerable to either the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability and Microsoft Windows WebDav Buffer Overflow Vulnerability. W32.Welchia.Worm Removal Tool Symantec Security Response has posted a removal tool for W32.Welchia.Worm. The removal tool is available from: http://securityresponse.symantec.com/avcenter/venc/data/w32. welchia.worm.removal.tool.html. (Due to the length of this URL URL in full Uniform Resource Locator Address of a resource on the Internet. The resource can be any type of file stored on a server, such as a Web page, a text file, a graphics file, or an application program. , it may be necessary to copy and paste To copy files from one location to another or to copy text and images from one document to another. All modern operating systems and applications have a copy and paste capability that is typically selected from an Edit menu. See cut and paste and Win Copy between windows. this hyperlink into your Internet browser's URL address field.) About Symantec Symantec, the world leader in Internet security technology, provides a broad range of content and network security software and appliance solutions to enterprises, individuals and service providers. The company is a leading provider of client, gateway and server security solutions for virus protection, firewall and virtual private network, vulnerability management, intrusion detection, Internet content and email filtering and remote management technologies as well as security services to enterprises and service providers around the world. Symantec's Norton brand of consumer security products is a leader in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide operations in 36 countries. For more information, please visit www.symantec.com. NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please view the Symantec Press Center at http://www.symantec.com/PressCenter/ on Symantec's Web site. All prices noted are in US dollars and are valid only in the United States. Symantec and the Symantec logo are trademarks or registered trademarks, in the United States and certain other countries, of Symantec Corporation. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion