oskj
asked on
W32.Welchia infected win 2k Advance Server
Hi all,
Recently my company Win 2K advance server got infected by W32.Welchia . We have use the virus removal tool to remove. However everyday, our Norton Anit virus will detected the virus and quarantine it. After that I use the norton removal tool and the virus was detected was again and removed.
We have updated the patch file and the service pack. Is there any way to totally removed the virus?
Thanks!
Recently my company Win 2K advance server got infected by W32.Welchia . We have use the virus removal tool to remove. However everyday, our Norton Anit virus will detected the virus and quarantine it. After that I use the norton removal tool and the virus was detected was again and removed.
We have updated the patch file and the service pack. Is there any way to totally removed the virus?
Thanks!
ASKER
Hi!
I did what u mention but the worm seem to be in my system.
I did what u mention but the worm seem to be in my system.
The Welchia worm has two methods of infection, one via the RPC flaw (MS03-026/MS03-039) and one via a WebDAV flaw (MS03-007). I suspect from your description that you are only patching against the one flaw. The steps you should make are in this order:
1. Download the following:
The patches for your OS/Language at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp
And http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-036.asp
The symantec removal tool: http://www.symantec.com/avcenter/FixWelch.exe
A scanner for the RPC flaw: http://www.eeye.com/html/Research/Tools/RPCDCOM.html
2. Install the patches:
MS03-007 and MS03-036 reboot if required.
3. Run the removal tool, FixWelch.exe
4. Scan your IP address with the RPC flaw scanner to ensure that the flaw has been removed (I have had patches not install properly in the past).
You should also look to find the source of your infection and make sure your machine is properly firewalled to traffic from the internet. By default you should deny all traffic unless you really need to let it through for some reason.
Is norton detecting the virus in a file? Or is it just a registry key or something that it is detecting?
1. Download the following:
The patches for your OS/Language at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp
And http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-036.asp
The symantec removal tool: http://www.symantec.com/avcenter/FixWelch.exe
A scanner for the RPC flaw: http://www.eeye.com/html/Research/Tools/RPCDCOM.html
2. Install the patches:
MS03-007 and MS03-036 reboot if required.
3. Run the removal tool, FixWelch.exe
4. Scan your IP address with the RPC flaw scanner to ensure that the flaw has been removed (I have had patches not install properly in the past).
You should also look to find the source of your infection and make sure your machine is properly firewalled to traffic from the internet. By default you should deny all traffic unless you really need to let it through for some reason.
Is norton detecting the virus in a file? Or is it just a registry key or something that it is detecting?
>> but the worm seem to be in my system.
hv u go/read through that symantec sites in my comments and follow the removal instructions?
also follow the links of the vulnerabilities exploits by that worm which including at that sites at the beginning of the article...
q
hv u go/read through that symantec sites in my comments and follow the removal instructions?
also follow the links of the vulnerabilities exploits by that worm which including at that sites at the beginning of the article...
q
Have you checked all of the other machines on your network? If you have file replication or shadow copy implimented on your server pay particular attention to those machines that are involved.
I had a similar problem with Welchia and MuMu viruses, wherby Norton AV would detect the same viruses on the same pcs over and over for a period of a couple of months even though the machines were patched up.
It is my opinion that these were in fact virus infection ATTEMPTS from an infected source/s on the LAN. I had to laboriousley hunt down the infected pc/s on the LAN before I saw a reduction in infection attempts. but even today I still get the odd one popping up somewhere which tells me I haven't rubbed it out 100%. Not a major worry. Suggestions anyone??
Blogg
It is my opinion that these were in fact virus infection ATTEMPTS from an infected source/s on the LAN. I had to laboriousley hunt down the infected pc/s on the LAN before I saw a reduction in infection attempts. but even today I still get the odd one popping up somewhere which tells me I haven't rubbed it out 100%. Not a major worry. Suggestions anyone??
Blogg
My experience has been that nothing short or a machine-by-machine fix-welch death march is required.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
have u update the latest virus definition,critical update and service pack 4?
W32.Welchia.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
----
go to this sites to scan for virus...
Online virus scan:
Symantec (norton)
http://security2.norton.com/ssc/vc_about.asp?langid=us&venid=sym&plfid=22&pkj=RKNYPJUIYCZRWEJGSSK
Housecall Online Scan
http://housecall.antivirus.com
--