WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
February 17, 2004
Intruder Alert 3.6 W32_Welchia_B_Worm Policy

This policy detects the propagation of the W32.Welchia.B Worm.

W32.Welchia.B.Worm is a variant of W32.Welchia.Worm. The worm attempts to remove the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms. The W32.Welchia.B.Worm exploits multiple vulnerabilities, including:

MS03-026 - DCOM RPC Vulnerability
MS03-007 - WebDav Vulnerability
MS03-049 - Workstation Service Vulnerability
MS03-001 - Locator Service Vulnerability

NOTE: This policy only works if the instructions for configuration for Filewatch monitoring have been implemented. These instructions are outlined below.

Download ITA W32_Welchia_B_Worm Policy

Affected Platforms

Windows NT/2000/2003/XP

Description

This policy detects changes in the registry associated with the W32.Welchia.B and Welchia.C Worm.

Policy Rules include:

  • Welchia_B_File_Detected
    This rule detects the creation of files associated with the infection of the W32.Welchia.B and Welchia.C worm.

  • Welchia_B_Service_Added
    This rule detects the service that Welchia B and C add to an infected system.

ITA Filewatch Configuration Instructions

  1. Browse to the system folder where the ITA agent is installed.

  2. Locate the ntcrit_S.lst file.

  3. Insert the following file to be monitored:

    #windir\system32\drivers\svchost.exe


Last modified on: Tuesday, 17-Feb-2004 20:11:29 PST
[an error occurred while processing this directive]