W32.Welchia.Worm

W32.Welchia.Worm is a worm that exploits multiple vulnerabilities:

Exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026 - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.

Exploits the WebDav vulnerability (described in Microsoft Security Bulletin MS03-007 - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit.

The worm attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.

The worm checks for active machines to infect by sending an ICMP echo, or PING, which will results in increased ICMP traffic.

The worm will also attempt to remove W32.Blaster.Worm.

It is worth noting that whilst on the face of it, this worm appears to be 'good' in that it is primarily written to remove the W32.Blaster.Worm and fix the exploits by downloading the Microsoft patch, it still automatically restarts the machine it after the patch installation, increases traffic and causes system instability.

Details about this Worm and how to protect/disinfect are available from Symantec's website at http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

Additional information, and an alternate site from which to download the Microsoft patch is available in the Microsoft article What You Should Know About the Blaster Worm and Its Variants. http://www.microsoft.com/security/incident/blast.asp

OTHER NAMES FOR W32.WELCHIA.WORM

W32/Welchia.worm10240 (AhnLab)
W32/Nachi.worm (McAfee)
WORM_MSBLAST.D (Trend)
Lovsan.D (F-Secure)

Remember, prevention is better than cure.