I discovered that whatever Welchia is, it is deliberately targeted at windowsupdate.com - when I would try to go there to apply SP4 to my new 2k install, F-Prot would invariably see the characteristic files svchost.exe and dllhost.exe show up in the wrong folder. This in itself is harmless because F-Prot immediately nails them, but not before the RPC server dies - thus, the update that is D/Ling is useless, because it will never be able to install once it's downloaded without RPC running (you can't even cut/paste without that). There is no way to get the RPC exploit fix off the net, at least by dialup - the entire SP4 is >130Mb and can't be downloaded over a phone line (practically speaking).
Note that *I* don't have the business part of Welchia - I'm just a target because I have the RPC vulnerability until I can apply the SP and patch.
I didn't want to reconfigure my other Linux laptop as a NATting firewall, or worry with trying to make 2kPro a server, obut I had a brainstorm - Windows 98 was moved over to the other lappy and I remembered a feature I'd never used, "Connection Sharing" - a poor's man's NATing router. So now the service pack install is coursing thru a 98 machine.
There must be millions of 2k and XP machines without the proper RPC patch that are happily TFTPing shit everywhere. Has anyone done an inventory? The numbers must be staggering.
This is progress! 98 saves its big cousin's sorry-NT-ass.
One has to admit that these worms are clever little beasties. Thank God I'm usually on Linux so this shit is a non-issue for the most part.