Re: DHS Advisory: Welchia worm

[Doug Pearson <dodpears () INDIANA EDU>]

Chris,

The advisories come from the Department of Homeland Security, Information Analysis and Infrastructure Protection Center
Watch and Warning Unit, to the various ISACs (Information Sharing and Analysis Centers), who in turn share with their 
particular community. Information about DHS and IAIP can be found at http://www.nipc.gov/.

Regards,

Doug Pearson
REN-ISAC, Acting Director; Indiana University; ren-isac () iu edu



At 09:38 AM 8/19/2003 -0400, Christopher Condie wrote:
> Hi Doug,
>
> My name is Chris Condie and I am the Security Analyst for Oakland
> University.  I received your e-mail last night regarding this new worm.
>
> The advisory that you sent below, can you let me know where you received it
> from?  I am trying to learn as much about this as I can.
>
> Look forward to hearing back from you,
> Chris
>
> Christopher R. Condie
> Oakland University
> Security Systems Analyst
> (248) 370-4368
> condie () oakland edu
> ----- Original Message -----
> From: "Doug Pearson" <dodpears () INDIANA EDU>
> To: <SECURITY () LISTSERV EDUCAUSE EDU>
> Sent: Monday, August 18, 2003 10:55 PM
> Subject: [SECURITY] DHS Advisory: Welchia worm
>
>
> > An advisory from DHS regarding the new variant of Blaster...
> >
> > Doug Pearson
> > REN-ISAC, Acting Director
> > Indiana University
> > ren-isac () iu edu
> >
> > ----------
> >
> > Advisory
> > Title: New version of the MS-RPC DCOM Worm infecting machines and creating
> Denial of Service Conditions
> > Date: August 18, 2003
> >
> >
> > SYSTEMS AFFECTED:  Computers using the following operating systems:
> > Microsoft Windows NT 4.0
> > Microsoft Windows 2000
> > Microsoft Windows XP
> > Microsoft Windows Server 2003
> >
> > OVERVIEW
> > A new worm that exploits the same security weakness as the Blaster worm
> (also known as "lovsan" or "msblast") has been released on the Internet.
> This new worm, dubbed "nachi", "welchia", or "msblast.d" does not infect
> systems that have been updated to counter the Blaster worm in accordance
> with Microsoft's instructions at
> http://www.microsoft.com/security/incident/blast.asp.  This new worm will
> re-infect computers that are currently infected with Blaster or one of its
> variants.  It deletes the original worm, patches the system by downloading
> the update from Microsoft, and replaces the original worm with itself.
> > IMPACT
> > Scanning by the new worm is causing denial of service conditions for some
> organizations.  Full details about what the worm does after infecting a
> computer are not yet fully understood.  There may be other malicious aspects
> of this worm such as the installation of back doors that allow intruders to
> access or control infected machines.
> > DETAILS
> > Information on the new worm is still emerging.  It appears that the worm
> searches for any computer that has not been updated including those machines
> infected with the Blaster worm and its variants.  After infecting a new
> computer, it deletes the file msblast.exe from the infected machine.  The
> worm then attempts to download the patch for the MS-RPC DCOM vulnerability
> from Microsoft's update site and then re-boots the machine if the
> installation is successful.  It has been reported that the variant then
> begins scanning or flooding the network with high volumes of ICMP (Internet
> Control Message Protocol) traffic causing network congestion which can
> result in denial of service conditions.  This may be a symptom of the worm's
> propagation and not designed intentionally as a denial of service attack.
> > RECOMMENDATIONS
> > "       For Home Users:
> > o       Complete patching of systems for the MS-RPC DCOM vulnerability
> immediately.  Detailed directions for applying the patch for your system can
> be found at:
> > "        http://www.cert.org/advisories/CA-2003-20.html
> > "       http://www.microsoft.com/security/incident/blast.asp
> > o       Install the latest updates from your anti-virus vendor.
> >
> > "       For Network Administrators:
> > o       Complete patching of systems for the MS-RPC DCOM vulnerability
> immediately.  Detailed directions for applying the patch for your system can
> be found at:
> > "        http://www.cert.org/advisories/CA-2003-20.html
> > "       http://www.microsoft.com/security/incident/blast.asp
> > o       Install the latest updates from your anti-virus vendor.
> > o       Continue MS-RPC DCOM mitigation strategy of blocking MS- RPC ports
> if possible.
> > o       Monitor your network for unusual levels of ICMP traffic, and
> traffic for
> > port 707 also reportedly used by the worm.
> > o       Employ blocking strategies on border equipment.  Reports have been
> received that the high levels of ICMP traffic have caused equipment at
> network borders to become congested.
> > o       Information is still emerging about this variant continue to
> monitor
> > updates from your anti-virus vendor.
> >
> > Additional References:
> > W32/Nachi.worm
> > http://vil.nai.com/vil/content/v_100559.htm
> >
> > W32.Welchia.Worm
> > http://www.sarc.com/avcenter/venc/data/w32.welchia.worm.html
> >
> > Worm_MSBLAST.D
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.D
> > DHS encourages recipients of this Advisory to report information
> concerning suspicious or criminal activity to local law enforcement, local
> FBI's Joint Terrorism Task Force or the Homeland Security Operations Center
> (HSOC).  The HSOC may be contacted at:   Phone: (202) 282-8101.
> > DHS intends to update this advisory should it receive additional relevant
> information, including information provided to it by the user community.
> Based on this notification, no change to the Homeland Security Advisory
> System (HSAS) level is anticipated; the current HSAS level is Yellow.
> > -o0o-
> >
> > **********
> > Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

----
Doug Pearson; Indiana University; dodpears () indiana edu
Phone: 812-855-3846; ViDeNet: 0018128553846
PGP: http://mypage.iu.edu/~dodpears/dodpears_pubkey.asc

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.