I discovered that whatever Welchia is, it is deliberately targeted at windowsupdate.com - when I would try to go there to apply SP4 to my new 2k install, F-Prot would invariably see the characteristic files svchost.exe and dllhost.exe show up in the wrong folder. This in itself is harmless because F-Prot immediately nails them, but not before the RPC server dies - thus, the update that is D/Ling is useless, because it will never be able to install once it's downloaded without RPC running (you can't even cut/paste without that). There is no way to get the RPC exploit fix off the net, at least by dialup - the entire SP4 is >130Mb and can't be downloaded over a phone line (practically speaking).

Note that *I* don't have the business part of Welchia - I'm just a target because I have the RPC vulnerability until I can apply the SP and patch.

I didn't want to reconfigure my other Linux laptop as a NATting firewall, or worry with trying to make 2kPro a server, obut I had a brainstorm - Windows 98 was moved over to the other lappy and I remembered a feature I'd never used, "Connection Sharing" - a poor's man's NATing router. So now the service pack install is coursing thru a 98 machine.

There must be millions of 2k and XP machines without the proper RPC patch that are happily TFTPing shit everywhere. Has anyone done an inventory? The numbers must be staggering.

This is progress! 98 saves its big cousin's sorry-NT-ass.

One has to admit that these worms are clever little beasties. Thank God I'm usually on Linux so this shit is a non-issue for the most part.

Remember how this works - an infected machine scans for Win2k machines with the RPC glitch. When it finds one, it exploits it and then downloads a file that looks like a real Windows file - in fact it *is* a real Windows file with a goiter - the goiter is a tftp server. The RPC server is dead because of the exploit - so Windows Update can't do anything with the files it downloaded.

You don't have to have the virus to be attacked - only the RPC problem.

If you can't get behind a firewall, the only possibility is to apply the service pack from CD or D/L the entire file. How many people are going to D/L a file that is 130Mb over the phone? How many people are behind personal firewalls? Not many.

You can't apply the patch to fix the RPC server until Service Pack 3 or better is installed. But you can't install the service pack until RPC server is fixed. It's rather diabolical - and I'm sure a lot of people out there are saying to themselves "my virus software doesn't report any problems so I'm OK" - but you aren't OK unless you have a real-time protector that is looking for the files that are sent to your machine by the exploiter.

(Coincidentally, SP4 just finished installing from behind my Windows 98 firewall, where I am tying this :)

I'm certain that the affected machines are scanning people who connect to windowsupdate.com - as SOON as I would go there, F-Prot reported the file had been downloaded. In a way it was fascinating. All this because people can't use pointers without pricking their fingers.