another worm

Mike Labbe

Administrator
Forum Support Team
Forum Donor
Joined
Jun 25, 2002
Posts
18,228
From
Lincoln, RI
Business
Get The Picture
This new one is very interesting: W32.Welchia.Worm (a housekeeping trojan?)

It uses the same port 135 exploit to get into your computer, then it downloads the RPC patch (fix) from Windows Update and reboots your computer. It cleans the Blaster infection from the computer, if found. It them tries to send itself to other computers, for the same purpose.

If it sees the year is 2004, it deletes itself.

If you have a router or have already installed the July 16th patch from Microsoft, you don't have to worry about this. This one only infects Windows 2000 and XP machines.

[ 08-19-2003, 03:36 PM: Message edited by: Mike-L@GTP ]
 

CharlesL

PFG, Picture Framing God

In Memorium

Rest In Peace



Joined
Apr 9, 2001
Posts
7,255
From
Clayton, NC
As a computer-illiterate, I have a question: I went to install Ad-Aware, and was sent to a site called 'Registry Mechanic'. It was $19.95, and automatically runs itself, apparently looking for worms, catepillars, etc, everytime the computer is used, whether it's used under Janet's or my user name.
Will this absolutely protect us from these worms? I have also installed, or enabled the built in LAN firewall that is available with XP.
PLEASE HELP ME!! I KNOW NOTHING ABOUT THIS STUFF!!
 

PurplePerson1

SGF, Supreme Grumble Framer
Joined
Sep 18, 2001
Posts
1,990
From
Mansfield, Ohio
Ad-Aware is not for worms. It is, I think, to protect against being infested with advertisers.

Firewalls, set correctly and antiviruses protect against most things unless stuff like worms figure out how to get around them.

By the way, you can get Ad-Aware free.

[ 08-19-2003, 05:24 PM: Message edited by: SusanNolan ]
 

Mike Labbe

Administrator
Forum Support Team
Forum Donor
Joined
Jun 25, 2002
Posts
18,228
From
Lincoln, RI
Business
Get The Picture
Adaware has no affiliation with "registry mechanic" that I know of. That was probably just a pop up ad that came up coincidentally. The Registry Mechanic is also highly regarded, but helps diagnose and repair the system Registry file, which holds many of the system settings. Most people won't need this program.

Adaware has a free version for non commercial use. I usually download it from www.download.com. Search for "ADAWARE" and the link comes up to download it.

Adaware handles "Scumware" (aka SPYWARE or ADWARE):

By definition "Spyware" refers to files that are downloaded with an application frequently without the consent or knowledge of the user for the purpose of reporting information back to the application's creator or some third party. The idea behind "spyware" is that your surfing habits, computer habits and who knows what else, are sent over the Internet to be seen by someone else for marketing purposes or other less than ethical reasons. (including credit card #s etc) Riding piggy back with legitimate programs at times, "spyware" is difficult to locate, and works in the background.

"Adware" works like spyware in that it transmits information to another person, persons or group. With adware you are sent advertisements based on your surfing habits. Adware can come bundled with legitimate programs and services on the Net. Like spyware, both are difficult to locate and operate covertly. They tend to slow computers down and cause instability.

Unlike viruses, anti-virus programs cannot locate these intrusions. Since spyware and adware are not technically viruses, and they do operate in different manners, they go undetected by these applications. The same holds true for firewalls. They cannot stop this type of software either.

The MOST important protection is a good virus scanner, such as Symantec's Norton AntiVirus. It's also healthy to check WINDOWS UPDATE every week to get any security patches that are made available. XP can be set to do this automatically.

Most of the lil critters (excluding the recent Blaster and Welchia) come in through email. There are about 200 new trojans and viri weekly, but only a few make the news every year. Nothing will truly protect you, but a weekly Adaware scan, weekly Windows Update, and weekly updates to your virus scanner will greatly help.

Some other options are a piece of equipment called a "router" which goes between your computer and the cable/dsl modem, and acts as a firewall; or a software based firewall, although less effective. There are programs to monitor what your computer is sending OUT as well, which alert you of anything out of the ordinary.

I'm sorry for such a long response.

Mike
nurse.gif
nerd.gif


PS: I believe the one Katman is referring to is W32.Sobig.F@mm. It's not too out of control, but spreads in the traditional way through email, sending itself out to anyone in your contact list, etc. The message will have a file attached and may say "see the attached file for details". This one self destructs itself shortly before 9/11/03.

[ 08-19-2003, 07:17 PM: Message edited by: Mike-L@GTP ]
 

PurplePerson1

SGF, Supreme Grumble Framer
Joined
Sep 18, 2001
Posts
1,990
From
Mansfield, Ohio
When I go to http://v4.windowsupdate.microsoft.com/en/default.asp there is a box that says Personalize Windows Update. It analyzes what you have and what you need that the automatic Windows Update does not do.

When I try to download these, they will not download. Is it because of my firewall. The updates took almost 2 hours today and then wouldn't install. I don't want my firewall down that long. I disabled it to install and it still didn't work.

Why is this?
 

PurplePerson1

SGF, Supreme Grumble Framer
Joined
Sep 18, 2001
Posts
1,990
From
Mansfield, Ohio
I am using Windows XP. Only the automatic updates since June 26 have updated. The ones before that did not. I also got the patch for the worm.   There is a log of what I got and didn't get.  Everything else I tried to install from the website failed.
 

Webgirl

Grumbler
Joined
Nov 12, 2002
Posts
48
From
-
Susan,

Are there different "User Accounts" on your computer? If so, do you know if your user account has administrator privileges?
 

tnframer408

SGF, Supreme Grumble Framer
Joined
Dec 11, 2001
Posts
1,506
From
Knoxville TN
I'm somewhat computer stupid, but could not access some internet activities from some websites., Finally someone from Comcast told me to disable my firewall and try it.

It worked.

Would suggest you temporarily disable your firewall and see ifyou can get your stuff on to your computer.

My cmcast provider gave me the Microsoft download sites. Worked well and instantly. And I use XP. Let me know if you still have trouble and I will TRY--enphasis on TRY--to walk you thru them because, as I said, I'm a lttle dumb on this.
 

PurplePerson1

SGF, Supreme Grumble Framer
Joined
Sep 18, 2001
Posts
1,990
From
Mansfield, Ohio
The user account I am using has administrator privileges.

Michael, I will try everything you said tomorrow night. Is 2 hours too long to be without a firewall?
 

B. Newman

SGF, Supreme Grumble Framer
Joined
Sep 5, 2001
Posts
4,859
From
Kodak, Tn. USA
I was gone all day yesterday, so when I got in last night I had 12-15 e-mails (which was not unusual) but they were all "returned". I knew that I had not sent but one before I left yesterday morning.

When I looked, they were all to (and returned from) addresses that I didn't know. They did have that "Thank You" as a subject, which is what this worm/virus is supposed to use.

The return thingamajig stuff at the bottom said that they were from outlook express. I don't even use outlook. And NONE of the names were in my address book, and none of My address names were used.

This morning at 7:00am, I had 18 more returned e-mails. But none since then. Maybe it's over?

I don't see a thing different with my pc. Should I be looking for something?

PS This is only on my "regular" e-mail address. It hasn't affected the one I use for HH.

Betty

[ 08-20-2003, 09:23 AM: Message edited by: B. Newman ]
 

B. Newman

SGF, Supreme Grumble Framer
Joined
Sep 5, 2001
Posts
4,859
From
Kodak, Tn. USA
Oops, spoke too soon. Just got another one.

They are all "to" aol accounts...

Betty
 

Mike Labbe

Administrator
Forum Support Team
Forum Donor
Joined
Jun 25, 2002
Posts
18,228
From
Lincoln, RI
Business
Get The Picture
Most likely someone is "spoofing" them and putting you in as the sender. (they are probably infected with a virus that does this without them knowing it)

If so, don't be surprised if you get some hate mails and phone calls from people who get infected and think it's really you.

Just to be sure you're not infected, I suggest getting the newest (8/19/03) virus definition file, and doing a manual scan.

Mike
 

PEAVY

CGF II, Certified Grumble Framer Level 2
Joined
Jul 27, 2002
Posts
313
From
Wichita Falls, TEXAS
words from our server....


Internet service providers and IT professionals world wide are dealing
with a recent spread of 2 internet worms that are wreaking havoc on their
networks, and in some cases bringing networks and internet service to a
grinding halt. Below is some basic information about
these nuisances. below are a few news articles to
inform you on the magnitude of this recent spread.

http://money.cnn.com/2003/08/21/technology/sobig/index.htm?cnn=yes
http://www.nwfusion.com/news/2003/0819navy.html
http://www.ispwifi.com/virus

W32.Sobig.F Details from Symantec
Summary: Sobig.F is a mass mailing worm and sends itself out to email
addresses in your windows address book and files with extensions
.dbx,
.eml,
.hlp,
.htm,
.html,
.mht,
.wab and .txt.

The email message has the following subject lines
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details


W32.Welchia - Details from Symantec

Summary: This worm exploits the same vulnerability like the W32.Blaster
worm, but it appears that this worm tries to delete the W32.Blaster worm
and install the necessary patch from Microsoft. It will also scan for
other machines on the network - just like W32.Blaster - and infect
vulnerable computers. While this is a clever and altruistic worm, we do
not recommend you trust it and that you update your virus definitions via
Live Update immediately.
 
Top