IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Windows vX.X Forum / I'm confused. Symantec has a fix.
Post #127,317
by Another Scott
11/23/03 12:03:24 AM
Reply
New I'm confused. Symantec has a fix.
Hi,

You say,

Note that *I* don't have the business part of Welchia - I'm just a target because I have the RPC vulnerability until I can apply the SP and patch.

So the worm hasn't infected your machine, but you don't have an RPC patch applied and the worm is interferring with getting SP4 onto your machine? That doesn't make much sense to me. Are you sure that's what's going on?

An updated antivirus package should keep you from being infected even if you haven't applied SP4, I think.

[link|http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html|Here] is Symantec's removal tool. Have you tried it, or something similar?

[link|http://www.microsoft.com/security/antivirus/nachi.asp|MS] has a page on fixes too.

Luck!

Cheers,
Scott.
Post #127,320
by deSitter
Picture of deSitter
11/23/03 12:27:55 AM
Reply
New Nope
Remember how this works - an infected machine scans for Win2k machines with the RPC glitch. When it finds one, it exploits it and then downloads a file that looks like a real Windows file - in fact it *is* a real Windows file with a goiter - the goiter is a tftp server. The RPC server is dead because of the exploit - so Windows Update can't do anything with the files it downloaded.

You don't have to have the virus to be attacked - only the RPC problem.

If you can't get behind a firewall, the only possibility is to apply the service pack from CD or D/L the entire file. How many people are going to D/L a file that is 130Mb over the phone? How many people are behind personal firewalls? Not many.

You can't apply the patch to fix the RPC server until Service Pack 3 or better is installed. But you can't install the service pack until RPC server is fixed. It's rather diabolical - and I'm sure a lot of people out there are saying to themselves "my virus software doesn't report any problems so I'm OK" - but you aren't OK unless you have a real-time protector that is looking for the files that are sent to your machine by the exploiter.

(Coincidentally, SP4 just finished installing from behind my Windows 98 firewall, where I am tying this :)

I'm certain that the affected machines are scanning people who connect to windowsupdate.com - as SOON as I would go there, F-Prot reported the file had been downloaded. In a way it was fascinating. All this because people can't use pointers without pricking their fingers.
-drl
Post #127,323
by deSitter
Picture of deSitter
11/23/03 12:43:56 AM
Reply
New Read this
[link|http://www.webmasterworld.com/forum9/6051.htm|http://www.webmaster...m/forum9/6051.htm]

This is probably typical of how people respond - and ANY Win2k or XP install from an older CD is going to get hit as soon as it goes to Windows Update.

If the people who made this beast had been malicious, they would have allowed you to go ahead and finish your update, but with a little extra :)

Note that some other RPC exploiter sent me Pilate.B, which *is* malicious. There is no telling the extent to which the Internet is compromised.
-drl
Post #127,326
by static
Picture of static
11/23/03 1:32:20 AM
Reply
New Registration required. Usual userid created. :-)

Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
 
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please

-- "Anything but Ordinary" by Avril Lavigne.
Post #127,356
by FuManChu
Picture of FuManChu
11/23/03 3:39:26 PM
Reply
New Call for papers
IWETHEY will host a symposium titled, "The Compromised Internet." You are invited to submit original technical papers regarding calculation of the extent of compromise of the Internet. Research leading to results which do not approach or approximate the known-sampled rate of 99.95% will not be considered. Submissions must not exceed 15 pages of double-spaced text and must themselves include a malicious payload.

Papers from the Linux community will be returned immediately to sender, as there's nothing worse than a bunch of stuck-up, self-satisfied prigs.
I was one of the original authors of VB, and *I* wouldn't use VB for a text
processing program. :-)
Michael Geary, on comp.lang.python
     Windows 98 Saves 2K's Ass - (deSitter) - (5) - Nov. 22, 2003, 11:32:13 PM EST
         I'm confused. Symantec has a fix. - (Another Scott) - (4) - Nov. 23, 2003, 12:03:24 AM EST
             Nope - (deSitter) - Nov. 23, 2003, 12:27:55 AM EST
             Read this - (deSitter) - (2) - Nov. 23, 2003, 12:43:56 AM EST
                 Registration required. Usual userid created. :-) -NT - (static) - Nov. 23, 2003, 01:32:20 AM EST
                 Call for papers - (FuManChu) - Nov. 23, 2003, 03:39:26 PM EST

'ow do you know 'e's a king?
38 ms