WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
August 19, 2003
Intruder Alert 3.6 W32_Welchia_Worm Policy

This policy detects the propagation of the W32.Welchia.Worm.

W32.Welchia.Worm is a worm that exploits multiple vulnerabilities:

  • The worm exploits the RPC DCOM vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.

  • The worm exploits the WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit.

The worm attempts to download the RPC DCOM patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.

Download ITA W32_Welchia_Worm Policy

Affected Platforms

Windows 2000
Windows NT

Description

This policy detects changes in the registry associated with the W32.Welchia.Worm.

Policy Rules include:

  • W32_Welchia_Worm Activity
    This rule detects the changes in the registry associated with the W32.Welchia Worm.


Last modified on: Tuesday, 19-Aug-03 03:48:49
Site Map · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2008 Symantec Corporation