Symantec has reported that it has upgraded the W32.Welchia.Worm to a “Category 4″ or “Severe” threat. Symantec reports that large enterprises are experiencing severe disruptions on their internal networks due to ICMP flooding. This can make some network resources inaccessible due to traffic overload.
The new worm adds insult to injury by specifically targeting computers previously infected with the W32.Blaster.Worm. Once it is on a system the W32.Welchia.Worm deletes msblast.exe, attempts to download the DCOM RPC patch from Microsoft’s Windows Update Web site, installs the patch, and then reboots the computer. While it may sound like the worm is actually an attempt to clean up the previous worm, it is actually acting as a denial of service attack, swamping networks with PING traffic.
Symantec strongly urges system administrators to ensure that patches have been applied to systems vulnerable to either the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability and Microsoft Windows WebDav Buffer Overflow Vulnerability.
They have posted a removal tool for W32.Welchia.Worm on the Symantec website.
—–
