Check Point Advisories

Welchia Worm

Check Point Reference: CPAI-2003-31
Date Published: 2 Jan 2006
Severity: Medium
Last Updated: 1 Jan 2013
Protection Provided by:
Who is Vulnerable?
Vulnerability Description The Welchia worm uses the MS DCOM vulnerability or a WebDAV vulnerability. After infecting a computer, it begins searching, in its class B network, other live computers, candidates to be infected. It does so by sending a specific ping packet, waiting for the reply that is signaling that the target is alive. The flood of pings may disrupt network connectivity.

Protection Overview

When this protection is enabled, IPS will identify and drop the Welchia worm specific ping packets.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update.For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

  1. In the IPS tab, click Protections and find the Welchia Worm protection using the Search tool and Edit the protection's settings.
  2. Install policy on all modules.

This protection's log will contain the following information:.

Attack Name:  Worm Propagation Attempt.
Attack Information:  Welchia/Nachi Worm ICMP packet