Re: keep getting DCOM intrusions

From: Bill Sanderson (Bill_Sanderson_at_msn.com.plugh.org)
Date: 11/13/03 

Date: Thu, 13 Nov 2003 00:12:20 -0500

You are infected with Welchia, I believe:

http://www.pchell.com/virus/welchia.shtml

I'm not clear which machine on your network is running ICS--if it is one of
the XP machines, you should have the ICF firewall enabled on the ICS
connection which would block this infection from the Internet side.

It won't, however, prevent your bringing the infection into the network
behind the firewall via a laptop, for example.

You need to apply MS 03-039 to all XP, 2000, NT machines to prevent
re-infection, and you need to clean them with a cleaner app from an
antivirus vendor.

Microsoft's article on this worm is:

http://www.microsoft.com/security/antivirus/nachi.asp

However, I don't find it very useful--it doesn't describe the details of the
virus, and it recommends an older patch, 03-026, which is superseded by the
one I gave.

Here are links to MS03-039, and to McAfee's Stinger virus removal tool which
will kill this thing:

http://www.microsoft.com/security/security_bulletins/ms03-039.asp

http://vil.nai.com/vil/stinger/

The MS03-039 link is especially useful--do follow the advice in the links it
gives--getting fully patched, getting the firewall up, and having functional
antivirus, are all important, and don't need to cost.

"Tomer" <tomerfink@hotmail.com> wrote in message
news:026901c3a94d$310b35a0$a301280a@phx.gbl...
> Hey all,
> This is really strange.
> 1) I have a svchost service that fills up my virtual memory
> (it gets up to 120MB!) once I kill it I can't go on the
> internet!
> 2) I use Norton Internet Security and I keep getting every
> 5 minutes a DCOM_Bufferoverflow security alert, which
> is very annoying and keeps me from using my internet
> conenction properly.
> 3) I have a small home network and the computers can see
> each other and even download files, but for some reason
> suddenly my internet connection is not shared anymore
> (eventhough every station can see the shared connection).
> I didn't touch anything in the firewall configuration.
>
> I have two XP pro. satations, and one 98SE, an ADSL
> connection with ICS turned on.
>
>
> What the hell is going on?
> Thanks,
> Tomer Fink,

Relevant Pages

  • Re: Vast Spy System Loots Computers in 103 Countries
    ... A Plan to Catch the Conficker Worm ... infected millions of machines worldwide, ... signs of infection. ... it presents itself to the wider network. ...
    (sci.military.naval)
  • Re: Event id 529
    ... The machines are not accessible from the Internet. ... I don't have access to my Network ... Logon Failure: ...
    (microsoft.public.windowsxp.security_admin)
  • Re: 3B2 Disks
    ... the reason for only having a few connections under the old UUCP ... Considering the nature of connectivity over the INTERNET, ... and many of those machines connected by domain name were UUCP ... remain in the email network, ...
    (comp.sys.3b1)
  • Re: HOWTO Ping LAN???
    ... and tunnel to other internal machines ... Port forward connections from the Internet "thru" ... |>network is by tunneling. ... |>from the outside to my default gateway and have the gateway ...
    (freebsd-questions)
  • RE: unusual 1.11.0.0/16 outbound traffic
    ... "The last 10 years of Internet usage has disproven ... We have been seeing an increasing amount of unusual network activity ... The activity began 2004-08-10 with 4 machines trying to send packets out ... No packets with "data" appear to be making it out. ...
    (Incidents)