|
Welchia returns: a new version of the 'virtuous' virus
Virus analysts at Kaspersky Labs have detected a new version of Welchia
in the wild. The original Welchia allegedly 'cured' machines infected by
Lovesan: the new version supposedly 'disinfects' machines infected by
Mydoom.
Welchia.b uses the DCOM RPC vulnerability and the WebDav vulnerability
in MS IIS 5.0 to spread through the Internet. It then attempts to locate
and delete Mydoom, as well as installing the Microsoft patch for the
DCOM vulnerability.
These actions may seem constructive, not destructive at first glance.
However, the author of Welchia has committed at least two cyber-crimes:
unauthorized access (breaking and entering) and continued unsanctioned
access. While reminding users to use patches is important, it should be
only done by legal means.
Welchia.b is coded to retain control over infected computers until June
1, 2004. Useful Links Detailed descriptions of: Welchia.b
(http://www.viruslist.com/eng/viruslist.html?id=949424) Mydoom.a
(http://www.viruslist.com/eng/viruslist.html?id=841769) Mydoom.b
(http://www.viruslist.com/eng/viruslist.html?id=850737) Lovesan
(http://www.viruslist.com/eng/viruslist.html?id=61577) Welchia.a
(http://www.viruslist.com/eng/viruslist.html?id=65727) MS Security
Bulletins: DCOM RPM vulnerability
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp)
WebDav in MS IIS 5.0
(http://www.microsoft.com/technet/security/bulletin/MS03-007.asp)
|
