This policy detects the propagation of the W32.Welchia.B Worm.
W32.Welchia.B.Worm is a variant of W32.Welchia.Worm. The worm attempts to remove the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms. The W32.Welchia.B.Worm exploits multiple vulnerabilities, including:
MS03-026 - DCOM RPC Vulnerability
MS03-007 - WebDav Vulnerability
MS03-049 - Workstation Service Vulnerability
MS03-001 - Locator Service Vulnerability
NOTE: This policy only works if the instructions for configuration for Filewatch monitoring have been implemented. These instructions are outlined below.
Download ITA W32_Welchia_B_Worm Policy
This policy detects changes in the registry associated with the W32.Welchia.B and Welchia.C Worm.
Policy Rules include:
This rule detects the creation of files associated with the infection of the W32.Welchia.B and Welchia.C worm.
This rule detects the service that Welchia B and C add to an infected system.
- Browse to the system folder where the ITA agent is installed.
- Locate the ntcrit_S.lst file.
- Insert the following file to be monitored:
Last modified on: Tuesday, 17-Feb-2004 20:11:29 PST
[an error occurred while processing this directive]
©1995 - Symantec Corporation