Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Finding Welchia.B on a network

Status
Not open for further replies.
bubarooni

bubarooni

Technical User
May 13, 2001
506
US
Is there anyway to detect a machine with this virus on the network? I am hoping there is some type of network activity that I can trace back to the offending machine.

What do I look for and what do I use for software? I have Packet Sniffer Pro but had no luck using it to locate the culprit, maybe I just don't know what the heck I am doing with it though! I am also trying to use a 30 day eval of GFI LanGuard Network Security Scanner but haven't figured out how to spot the problem machine with it either.

Our network is spread over a rather large geographic area. I don't want to drive to every location and manuall check all machines. It is slowing down my network and driving me crazy.

Thanks In Advance
 
Sort by date Sort by votes
I looked that virus up and one of it's flags is that it creates the following file:

C:\WINNT\SYSTEM32\DRIVERS\SVCHOST.EXE (12,800 bytes)

NOTE: There is a valid file of that name in the Windows SYSTEM directory.

Other flags are:

Large amounts of network traffic emitting from a system
WksPatch service name (not display name) present on system

The only way I can think of to do this would be using a login script. You could search for that file in the C:\WINNT\SYSTEM32\DRIVERS\ folder, and if found, maybe write a file to your local server with the Windows login. Or display a warning message to the user to call you at your desk.

For more information on this virus, see the following:


Terry
**************************
* General Disclaimor - Please read *
**************************
Please make sure your post is in the CORRECT forum, has a descriptive title, gives as much detail to the problem as possible, and has examples of expected results. This will enable me and others to help you faster...
 
Upvote 0 Downvote
When it says 'WksPatch service name (not display name)' what does that mean? If I look in 'Services' it won't show WksPatch in there?

Also, that batch sounds interesting. If you have the time could you explain how I would go about that?
 
Upvote 0 Downvote
You may want to check out this product:


When the NACHI/WELCHIA worm hit our network it brought our whole network down. We purchased a DCOM Scanner (not the full version) from the same company. The DCOM Scanner cost us over a $1000.00 and all this did was scan for workstations on our network that were infected with the WELCHIA/NACHI worm and for workstations that were vulnerable to the MS03-026 and MS03-039 patches. This product worked great for us and cut down the time it would have taken had we had to go to each workstation. This scanner identified the workstations we needed to run the patches and deinfect any system with a virus. The full version from the link provided I believe can be expensive depending on how many IP Addresses you want to support. But you may be able to purchase (as we did) just the scanner.
 
Upvote 0 Downvote
First of all, this batch file would be called from what ever login scripting you are running. This batch file requires being able to get the login ID or machine name at the time the code is run. It also requires that everyone have access to the server share that the "flag" files will be written to.

The code for the batch file would be something like:

Code: 
if exist "C:\WINNT\SYSTEM32\DRIVERS\SVCHOST.EXE" goto FileFound
goto FileNotFound

:FileFound
REM At this point is where you would echo to a file on your local server the ID or machine name.   Something like:
echo Welchia.B found on PC logged in by LoginID > "\\YourServer\SomeFolder\LoginID.txt"
Date /T >>"\\YourServer\SomeFolder\LoginID.txt"
Time /T >>"\\YourServer\SomeFolder\LoginID.txt"

OR   <-- Not part of the batch file.   

echo Welchia.B found on PC named PC_Name > "\\YourServer\SomeFolder\PC_Name.txt"
Date /T >>"\\YourServer\SomeFolder\PC_Name.txt"
Time /T >>"\\YourServer\SomeFolder\PC_Name.txt"

goto end

:FileNotFound
:end[code]

You could check the server directory as necessary to see if any files are created.   If the file is found, I would then go to that machine and use whatever scanning software you have to remove this.   

I know this is not the complete code, as I am not sure how to access the system variables that would know the login or machine name.   I know it is possible...   Just don't know how.

Hope that helps...

Terry
**************************
* General Disclaimor - Please read *
**************************   
Please make sure your post is in the CORRECT forum, has a descriptive title, gives as much detail to the problem as possible, and has examples of expected results.   This will enable me and others to help you faster...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Curious network activity over port 445
Replies
8
Views
339
DrB0b
DrB0b
iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
292
Oorde
Oorde
Olumighty
  • Locked
  • Question
BIOS PASSWORD WIPE OR CLEAR ON COMPUTER LAPTOP 1
Replies
1
Views
181
SamBones
SamBones
shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
264
2ffat
2ffat
2ffat
  • Locked
  • News
Audacity is Spyware?
Replies
2
Views
239
2ffat
2ffat

Part and Inventory Search

Sponsor

Back
Top