Video | Business Headlines | Internet | Science | Scientific Ethics | Technology | Search


W32.Welchia.Worm To Level 4 Threat

Symantec Security Response Upgrades W32.Welchia.Worm To Level 4 Threat

Once Inside Corporate Perimeters, W32.Welchia.Worm Propagates at Rapid Pace

Symantec, the world leader in Internet security, today announced that it has upgraded the W32.Welchia.Worm from a Level 2 to a Level 4 threat. Symantec is receiving reports of severe disruptions on the internal networks of large enterprises caused by ICMP flooding related to the propagation of the W32.Welchia.worm. In some cases enterprise users have been unable to access critical network resources.

“Despite its original intent, the W32.Welchia.Worm is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm,” said Richard Batchelar, Country Manager, Symantec New Zealand. “The worm is swamping network systems with traffic and causing denial-of-service to critical servers within organisations.”

W32.Welchia.Worm targets customers infected with the W32.Blaster.Worm. Once on a system, W32.Welchia.Worm deletes msblast.exe, attempts to download the DCOM RPC patch from Microsoft’s Windows Update Web site, installs the patch, and then reboots the computer. The worm checks for active machines to infect by sending an ICMP echo, or PING, which may result in significantly increased ICMP traffic. ICMP is a TCP/IP protocol used to send Internet messages.

“Although corporations may have perimeter defences in place, in response to the W32.Blaster.Worm, internal infections are still running high,” said Batchelar. “Deployment of the security patch in large, geographically dispersed environments is expected to take weeks to months to complete. Both the W32.Blaster.Worm and W32.Welchia.Worm are clear examples of why comprehensive security measures need to be deployed at various tiers of the network including policy compliance for remote access users.”

W32.Welchia.Worm propagates through TCP port 135 on Windows XP and Windows 2000 machines that have not patched the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability.

Additionally, the worm propagates through TCP port 80 on Microsoft IIS 5.0 systems that have not patched the Microsoft Windows WebDav (ntdll.dll) Buffer Overflow Vulnerability.

Symantec DeepSight Threat Management System is currently reporting anomalous levels in the number of source IPs targeting both TCP Port 80 and the Microsoft Windows Web Dav Buffer Overflow Vulnerability. TCP Port 135 continues to be a prominently targeted port due to the activities of both W32.Blaster.Worm and W32.Welchia.Worm.

Administrators are strongly urged to ensure that patches have been applied to systems vulnerable to either the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability and Microsoft Windows WebDav Buffer Overflow Vulnerability.

W32.Welchia.Worm Removal Tool
Symantec Security Response has posted a removal tool for W32.Welchia.Worm. The removal tool is available from: About Symantec
Symantec, the world leader in Internet security technology, provides a broad range of content and network security software and appliance solutions to enterprises, individuals and service providers. The company is a leading provider of client, gateway and server security solutions for virus protection, firewall and virtual private network, vulnerability management, intrusion detection, Internet content and email filtering and remote management technologies as well as security services to enterprises and service providers around the world. Symantec’s Norton brand of consumer security products is a leader in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide operations in 36 countries. For more information, please visit

© Scoop Media

Business Headlines | Sci-Tech Headlines


ScoopPro: Helping The Education Sector Get More Out Of Scoop

The ScoopPro professional license includes a suite of useful information tools for professional users of Scoop including some specifically for those in the education sector to make your Scoop experience better. More>>

Big Tax Bill Due: Destiny Church Charities Deregistered

The independent Charities Registration Board has decided to remove Destiny International Trust and Te Hahi o Nga Matamua Holdings Limited from the Charities Register on 20 December 2017 because of the charities’ persistent failure to meet their annual return obligations. More>>

57 Million Users' Data: Uber Breach "Utterly Preventatable"

Cybersecurity leader Centrify says the Uber data breach of 57 million customer and driver records - which the ride-hailing company hid for more than a year - was “utterly preventable”. More>>

Scoop 3.0: How You Can Help Scoop’s Evolution

We have big plans for 2018 as we look to expand our public interest journalism coverage, upgrade our publishing infrastructure and offer even more valuable business tools to commercial users of Scoop. More>>

Having A Cow? Dairy Product Prices Slide For Fourth Straight Auction

Dairy product prices fell at the Global Dairy Trade auction, retreating for the fourth straight auction amid signs of increased production... Whole milk powder fell 2.7 percent to US$2,778 a tonne. More>>


Statistics: Butter At Record $5.67/Block; High Vegetable Prices

Rising dairy prices have pushed food prices up 2.7 percent in the year to October 2017, Stats NZ said today. This followed a 3.0 percent increase in the year to September 2017. More>>


Science: New Research Finds Herbicides Cause Antibiotic Resistance

New University of Canterbury research confirms that the active ingredients of the commonly used herbicides, RoundUp, Kamba and 2,4-D (glyphosate, dicamba and 2,4-D, respectively), each alone cause antibiotic resistance at concentrations well below label application rates. More>>