It may be a friendly worm with good intentions but the W32.Welchia.Worm squirming through corporate networks has become a nightmare for IT administrators already struggling to clean up last week’s “Blaster” virus.
What’s worse, security experts say, is that the Welchia worm is using two separate vulnerabilities to infect and wreak havoc on networks around the world. In addition to sneaking in via the DCOM RPC
vulnerability in some versions of Microsoft’s Windows operating systems, Welchia propagates through TCP port 80 on Microsoft IIS
5.0 systems that have not patched the Microsoft Windows WebDav (ntdll.dll) Buffer Overflow Vulnerability.
Microsoft first released a patch for the WebDav vulnerability in March (updated in May this year) but unpatched systems are still at risk of infection.
Vincent Weafer, senior director of Symantec’s Security Response unit, described the Welchia copycat as a “significant threat” for enterprises still struggling to clean up from Blaster.
“This worm, even though it pretends to be friendly, is even more
problematic because of the propagation technique it uses. And, even if you have patched against the DCOM RPC vulnerability, you are still at risk because it uses another avenue to infect,” Weafer told
Welchia looks for the existence of the Msblast.exe file dropped by the W32.Blaster.Worm and deletes it from an affected system, is capable of crippling a large corporate network even if the DCOM/RPC patch is
“In some cases enterprise users have been unable to access critical
network resources. This is an insidious worm that is preventing IT
administrators from cleaning up after the W32.Blaster.Worm,” Weafer
He said Welchia’s propagation technique was “swamping network systems with traffic and causing denial-of-service to critical servers within organizations.”
Symantec on Tuesday upgraded the W32.Welchia.Worm from a Level 2 to a Level 4 threat and reported “severe disruptions” on the internal networks of large enterprises caused by ICMP flooding.
According to Weafer, after Welchia deletes the msblast.exe virus, it then attempts to download the DCOM RPC patch from Microsoft’s Windows Update Web site, install the patch and then reboot the computer. It is congesting networks because it checks for active machines to infect by sending an ICMP echo (ping) which may result in significantly increased ICMP traffic.
ICMP is a TCP/IP protocol used to send Internet messages.
“Inside large organizations, even if the perimeter is patched, this worm can still cause problems on the inside. This is very very difficult for admins,” he explained.
Once the worm is identified and quarantined, he said system administrators would have to go from desktop to desktop to manually disinfect machines. “When a network is being accessed by home users or users with laptops, it makes it even more difficult form them to contain the spread of the worm,” Weafer added.
Typically, he said enterprises would protect against the worm by securing the edge of the network first and then move on to critical servers. Once those areas are patched, he said an IT admin would move on to protecting desktops. That’s where it is proving to be a burden, according to Weafer, especially in large corporate environments without thousands of workstations.
It’s quite a burden to locate machines and get patches deployed. And, because the vulnerability affects a host of different operating systems, even keeping track of all that becomes a nightmare. In some organizations, it will take months to completely patch the network,” he declared.
Microsoft, meanwhile, defended its response to the latest worm exploits. A spokesman for said the patch for the worm and its variants has been available for over a month, and was updated last week, while urging companies to stay vigilant about updating their systems and patches regularly.
As for whether two exploits of Windows operating system versions in less than a week was a black eye for Microsoft’s Trustworthy Computing, a Microsoft analyst said it was fair to raise the question.
Mike Cherry, lead analyst for operating systems at technology and strategy consulting firm Directions on Microsoft (which is not affiliated with the software company), said “it’s always fair to monitor the company’s progress on Trustworthy Computing, Microsoft’s effort to improve the security of its products.
“I think these setbacks are raising questions in the minds of users, but I think you also have to give [Microsoft] some credit” for their progress in security, he added.
“If you look back a year ago, when the Code Red [virus] happened, their amount of information and response was worse. So they are responding better, making improvements, but I think you honestly have to say they have a ways to go.”
Cherry said what he looks for is continued progress from the world’s largest software company, and whether all of Microsoft’s business units are working in tandem on security responses.