|Check Point Reference:||CPAI-2003-31|
|Date Published:||2 Jan 2006|
|Last Updated:||1 Jan 2013|
|Protection Provided by:|
|Who is Vulnerable?|
|Vulnerability Description||The Welchia worm uses the MS DCOM vulnerability or a WebDAV vulnerability. After infecting a computer, it begins searching, in its class B network, other live computers, candidates to be infected. It does so by sending a specific ping packet, waiting for the reply that is signaling that the target is alive. The flood of pings may disrupt network connectivity.|
When this protection is enabled, IPS will identify and drop the Welchia worm specific ping packets.
In order for the protection to be activated, update your Security Gateway product to the latest IPS update.For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.
This protection's log will contain the following information:.
Attack Name: Worm Propagation Attempt.
Attack Information: Welchia/Nachi Worm ICMP packet