Networks must counter triple threat
John McCormick
Published: 21 Aug 2003 12:40 BST
Welchia
A worm released with the intention of fixing computers infected with Blaster is making the rounds and is causing far more damage than Blaster did. Welchia (also known as W32/Welchia.worm10240, W32/Nachi.worm, WORM_MSBLAST.D, and Lovsan.D) attempts to remove Blaster and download/install the required system patch.
The problem with Welchia, besides the fact that it's just another cyberthreat, is that it takes over the "patched" system and uses it to scan the Internet for other Blaster-infected systems -- and the bandwidth consumption is bringing individual systems and networks to their knees. Symantec has a report on Welchia, which includes a link to a removal tool and detailed manual removal instructions.
Sobig.F
The latest version of Sobig can infect a system only if a user opens a malicious email and then opens an attachment. Like other versions of Sobig, this one comes complete with an email client and attempts to spread itself to email addresses gleaned from the compromised computer.
The attachment always seems to be a filename ending in .pif, and the subject lines are intelligently designed to get people to open the attachment. Some examples are: RE: Details, RE: Approval, RE: Thank You, and RE: Your Application.
This is a very large worm (72K). Removing it from systems will be a complex undertaking, since you'll have to disconnect each compromised PC from any network before cleaning it. Details and removal instructions are available at the following security sites:
Final word
These three worms have brought down networks large and small. The information, links, and instructions provided here can help you avoid these nasty little devils or remove them if they have already infected systems on your network.
Previous
Did you find this article useful?
184 out of 358 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
