Solved

W32.Welchia infected win 2k Advance Server

Posted on 2003-10-21
10
174 Views
Last Modified: 2010-04-14
Hi all,

Recently my company Win 2K advance server got infected by W32.Welchia . We have use the virus removal tool to remove. However everyday, our Norton Anit virus will detected the virus and quarantine it. After that I use the norton removal tool and the virus was detected was again and removed.

We have updated the patch file and the service pack. Is there any way to totally removed the virus?

Thanks!
0
Comment
Question by:oskj
10 Comments
 
LVL 8

Expert Comment

by:qfren
ID: 9595993
hi:

have u update the latest virus definition,critical update and service pack 4?

W32.Welchia.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

----
go to this sites to scan for virus...
Online virus scan:
Symantec (norton)

http://security2.norton.com/ssc/vc_about.asp?langid=us&venid=sym&plfid=22&pkj=RKNYPJUIYCZRWEJGSSK

Housecall Online Scan
http://housecall.antivirus.com

--



0
 

Author Comment

by:oskj
ID: 9596003
Hi!

I did what u mention but the worm seem to be in my system.
0
 
LVL 3

Expert Comment

by:izwiz
ID: 9597050
The Welchia worm has two methods of infection, one via the RPC flaw (MS03-026/MS03-039) and one via a WebDAV flaw (MS03-007). I suspect from your description that you are only patching against the one flaw. The steps you should make are in this order:

1. Download the following:
  The patches for your OS/Language at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp

And http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-036.asp

The symantec removal tool: http://www.symantec.com/avcenter/FixWelch.exe

A scanner for the RPC flaw: http://www.eeye.com/html/Research/Tools/RPCDCOM.html

2. Install the patches:

MS03-007 and MS03-036 reboot if required.

3. Run the removal tool, FixWelch.exe

4. Scan your IP address with the RPC flaw scanner to ensure that the flaw has been removed (I have had patches not install properly in the past).

You should also look to find the source of your infection and make sure your machine is properly firewalled to traffic from the internet. By default you should deny all traffic unless you really need to let it through for some reason.

Is norton detecting the virus in a file? Or is it just a registry key or something that it is detecting?

0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 8

Expert Comment

by:qfren
ID: 9597173
>> but the worm seem to be in my system.
hv u go/read  through that symantec sites in my comments and follow the removal instructions?
also follow the links of the vulnerabilities exploits by that worm which including at that sites at the beginning of the article...


q
0
 
LVL 2

Expert Comment

by:lazerstl
ID: 9599930
Have you checked all of the other machines on your network? If you have file replication or shadow copy implimented on your server pay particular attention to those machines that are involved.
0
 

Expert Comment

by:Blogg
ID: 9620754
I had a similar problem with Welchia and MuMu viruses, wherby Norton AV would detect the same viruses on the same pcs over and over for a period of a couple of months even though the machines were patched up.

 It is my opinion that these were in fact virus infection ATTEMPTS from an infected source/s on the LAN. I had to laboriousley hunt down the infected pc/s on the LAN before I saw a reduction in infection attempts. but even today I still get the odd one popping up somewhere which tells me I haven't rubbed it out 100%. Not a major worry. Suggestions anyone??

Blogg
0
 
LVL 2

Expert Comment

by:lazerstl
ID: 9620782
My experience has been that nothing short or a machine-by-machine fix-welch death march is required.
0
 

Accepted Solution

by:
PashaMod earned 0 total points
ID: 10088876
PAQed - no points refunded (of 250)

PashaMod
Community Support Moderator
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Adding Computers to AD groups through an SCCM Task Sequence
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question