Just when you thought it was safe this wierd thing comes along.

This detection is for another virus that exploits the MS03-026 vulnerability. In addition to exploiting this RPC DCOM vulnerability, the virus also attempts to exploit an NTDLL.DLL vulnerability (MS03-007) via WebDav.

It is not related to the W32/Lovsan.worm.d variant described here.

Intentions of the worm
This worm spreads by exploiting a hole in Microsoft Windows. It instructs a remote target system to download and execute the worm from the infected host. Once running, the worm terminates and deletes the W32/Lovsan.worm.a process and applies the Microsoft patch to prevent other threats from infecting the system through the same hole. When the system clock reaches Jan 1, 2004, the worm will delete itself upon execution.

http://us.mcafee.com/virusInfo/default.asp?id=nachi

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html



:(

When W32.Welchia.Worm is executed, it performs the following actions:


Copies itself to:

%System%\Wins\Dllhost.exe

NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


Makes a copy of %System%\Dllcache\Tftpd.exe, as %System%\Wins\svchost.exe.

NOTE: Svchost.exe is a legitimate program, which is not malicious, and therefore Symantec antivirus products will not detect it.


Creates the following services:

Service Name: RpcTftpd
Service Display Name: Network Connections Sharing
Service Binary: %System%\wins\svchost.exe

This service will be set to start manually.

Service Name: RpcPatch
Service Display Name: WINS Client
Service Binary: %System%\wins\dllhost.exe

This service will be set to start automatically.


Ends the process, Msblast, and delete the file %System%\msblast.exe which is dropped by the worm, W32.Blaster.Worm.


The worm will select the victim IP address in two different ways. It will either use A.B.0.0 from the infected machine's IP of A.B.C.D and count up, or it will construct a random IP address based on some hard-coded addresses. After selecting the start address, it will count up through a range of Class C sized networks, for example, if it starts at A.B.0.0, it will count up to at least A.B.255.255.


The worm will send an ICMP echo, or PING, to check if the IP address constructed is an active machine on the network.


Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability.


Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions.


Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe.


Checks the computer's operating system version, Service Pack number, and System Locale and attempts to connect to Microsoft's Windows Update and download the appropriate DCOM RPC vulnerability patch.


Once the update has been download and executed, the worm will restart the computer so that the patch is installed.


Checks the computer's system date. If the year is 2004, the worm will disable and remove itself.
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html :t

I guess my point is I'd really rather maintain my machines myself. It would be easy enough for someone to leave a little something else even after the supposed "self-deletion" date. 1, 3 or 6 months later back it comes with a sinister payload. No thank you. :rolleyes:

Its not supposed, its hard coded into the program.

Here's the deal though, I find it too coincidental that the so called "good worm" lasts through Jan 1st, 2004 right through the holiday season. Ummm maybe long enough to collect credit card #'s from all those online shoppers? Call me paranoid but "no thank you" I say.:(

Symantec on Tuesday upgraded the W32.Welchia.Worm from a Level 2 to a Level 4 threat and reported "severe disruptions" on the internal networks of large enterprises caused by ICMP flooding.

See what I mean, the best intentions...:t