On Fri, Aug 22, 2003 at 12:28:55PM -0700, Cory Petkovsek wrote: > I've been welched... > W32.Welchia.Worm > http://www.symantec.com/avcenter/venc/data/pf/w32.welchia.worm.html
Ha!! Sounds like this worm was written by Microsoft as an attempt to stave off their ddos. Here's from symantec's website as to what this worm does: * Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer. * Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic. * Attempts to remove W32.Blaster.Worm. * Installs tftp service * Removes itself if the year is 2004 The second to last one is interesting. Perhaps so MS can upload security patches remotely (push replication). What is really odd though, is that according to symantec, none of the ways this worm replicates would have worked here (icmp, tcp 135, tcp 80). Unless it is also distributed over email and then turns in to a DCOM RPC worm, but I filter our email too. Once I discovered the problem, to stop it from bogging down my firewall I ran this line, as I normally allow some icmp out: iptables -I FORWARD -s <server> -p icmp -j DROP Cory -- Cory Petkovsek Adapting Information Adaptable IT Consulting Technology to your (541) 914-8417 business [EMAIL PROTECTED] www.AdaptableIT.com _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
