Welchia worm ICMP INSPECT code update
| Attack ID: | CPAI-2003-31 |
 |
|
| Publish Date: | |
|
|
| Category: | Worms |
|
|
| Vulnerable Systems: | Microsoft Windows NT 4 Microsoft Windows 2000 Professional, Server Microsoft Windows XP Home, Professional Microsoft Windows 2003 Server |
|
|
| Source: | SmartDefense team internal research |
|
|
| Description: | The Welchia worm uses a specific ICMP pings to locate other computers eligible to infect and thus propagate. |
|
|
| Severity: | |
| In addition to the mass infection, the flood of pings may disrupt network connectivity. | |
| Details: | The Welchia worm uses the MS DCOM vulnerability (which is already blocked by FireWall-1 see CPSA-2003-08) or a WebDAV vulnerability (which is also already blocked by FireWall-1 see CPAI-2003-18). After infecting a computer, it begins searching, in its class B network, other live computers, candidates to be infected. It does so by sending a specific ping packet, waiting for the reply signaling that the target is alive. |
|
|
| Attack Detection: | Using the SmartView Tracker, identify drop logs with the rule number that matches the rule where the welchia-icmp service is used, if that rule has Log in its track column. Otherwise, identify drop logs with rule number 1999. |
|
|
| Solution: | Update your SmartDefense NG with Application Intelligence with the latest update (540000028). In order to do so, go the SmartDefense tab, general and press Update. Once the update succeeded, you will have a new service of type Other, named welchia-icmp. Use it instead of icmp-proto in rules where you have enabled ICMP packets. For example, if you had a rule like:
You should use:
Notes:
|
|
|
| Industry Reference: | |
|
|
| Additional Information: | Information on the Welchia worm, from Symantec |