W32/Nachi.worm and W32.Welchia.worm

[zoeythecat]

Hi All,

I work for a private school. We have about 150 admin workstations and about 350 student workstations. Recently in September we realized we did not have the Microsoft Patches MS03-026, 03-007, 03-029 on all our servers and workstations campus wide. We began getting reports of the W32/Nachi.worm appearing on client workstations. So we have MCAFEE on our servers and the 150 Admin workstations. On our 350 students workstations their is a mixture of Norton and MCAFEE. Here is what we did on each workstation, including the workstations that had NORTON.
(1) Apply Patches
(2) Run MCAFEE command line virus scan (I was told by Network Associates I could run this on same systems as Norton).
* So this appeared to clean our environment of the W32/Nachi.worm virus.
* However, a few days later we began receiving calls from some students (about 7 of them) who have Norton and they reported the W32.Welchia.worm virus.

Question: Why after running the MCAFEE command line scan it did not detect the W32.Welchia worm? We are getting service denial attacks again and our network is at a crawl during the day. MCAFEE states our scans should have cleaned the W32.Welchia but their scan did not detect this.

Anyone experience the same problems?

Any thoughts would be appreciated.

 

[SESaskDFC]

Howdy:

Did you follow the removal instructions to the letter including isolating the infected systems (removing them from the network) and disabling System Restore (WinME and XP) systems??

Murray

 

[zoeythecat]

Thanks for the reply.

The answer is yes. Here are the procedures I followed from MCAFEE :

(Windows XP and Windows ME, Disabled System restore)
(1) Create scan folder and make it read only
(2) copy latest sdat file to the scan folder)
(3) Apply Microsoft patches
(4) Boot into safe mode command prompt only
(5) extract sdat file from the scan folder and run a command line scan (too many strings to list)
* This virus program detected the w32/nachi.worm virus with no problems but did not detect the w32.welchia. There is a MCAFEE stinger program as well. When you look for the list of viruses you do not see the W32.Welchia.*

So this goes to show you that not every antivirus program detects all worms. For example, if you have Norton it will detect the W32.Welchia but not the w32/nachi.worm.

Our solution right now is to go visit each workstation (very painful) like we did before and run the MCAFEE stinger program and the Symantec Removal utilities for the Welchia and Blaster. What a waste. Network Associates told me when I called them that applying the patches and running the command line virus scan would get rid of all worms. They were wrong.

 

[SESaskDFC]

Zoey:

What I have seen of either virii thus far is the cleaning has to be done from each system individually physically removing them from the network. Nothing else worked..

Murray

 

[zoeythecat]

Sesaskdfc,

I completely understand that. That is exactly what we did. We went to each and every workstation, removed the workstation from the network, disabled system restore, ran the MCAFEE virus scan that was suggested by Network Associates, and cleaned all systems. What I am stating is that some workstations who have the Symantec Norton Antivirus software detected the W32.Welchia.worm even after we did a complete MCAFEE virus scan . The point is that the MCAFEE virus scan did not detect the W32.welchia.worm on systems that had the Norton product. THe point being, for each system that has Norton you need to run the Norton Removal tools. But Network Associates will not tell you that. Why? Of course they will not admit that they do not include something in their virus detection code that Symantec includes.

Good thing is we just purchased some sniffer software that will save us some time as we will be able to see what workstations have the virus rather than have to go around to each workstation.

Thanks for your reply.

 

[ianbla]

I had the same problem (thankfully not as many machines as you), the scanner didn't pick it up so I had to run the stinger app provided by Mcafee on each infected machine to remove it.

Have you downloaded and used the stinger?

There is also a tool provided by MS that will scan a subnet to see if there are any unpatched machines on the network, but I guess this isn't need as you have a full blown sniffer.

 

[zoeythecat]

Ianbla,

Thanks for the replies.

(1) Yes I got the stinger after the fact. However, the stinger still does not remove the Welchia.
2) We did purchase a sniffer program which turned into a savior. As you note, we can see what sytems are infected and need to be patched so we did not have to go to each workstation this time.

Zoey

 

[SteveTheGeek]

All,
Can you tell me if there's any specific port traffic to look for with the sniffer? I've got MS NetMonitor going to hunt down some box around here that's still got Nachi on it - we're 100% patched, but one box is still infected and it's infecting new installs before we get them patched.
-Steve

 

[bfralia]

Like Blaster and Nachi, be on the look out for activity on ports 135 and 139.

McAfee and Norton both have free virus removal tools. I've used stinger on computers protected with Norton or Sophos and it worked without a problem.

 

[theboyhope]

Pardon me if I've got this wrong but aren't Nachi and Welchia the same damn virus? Network Associates call it W32/Nachi and Symantec call it W32/Welchia.

It sounds like the machines have been cleaned and then re-infected cause if McAfee detected and cleaned W32/Nachi and then Norton cleaned and detected W32/Welchia ...

 

[zoeythecat]

Network Associates claims this is the same virus, however, on machines that had the MCAFEE software this program does not detect the WELCHIA(DID YOU READ MY COMMENTS ABOVE????). The point is that you need to run the MCAFEE Stinger program to remove the NACHI and you need the Norton Scanner to remove the WELCHIA. We now have a SOPHOS AV program which blows away the MCAFEE and Symantec's Norton in my opinion as it detects both the WELCHIA and NACHI.

 

[Kaicolo]

Have you patched your workstations with MS03-039? This patch supersides MS03-026 as there were some flaws with it, DoS attacks could still be launched. Also Microsoft have a scanner utility that can check an IP range whether its patched or not. Make sure you use the MS03-039 scanner though. Reason why I mention this is that when I coordinated patching our network we found that some of the installs failed because the reboot hadn't occurred. So using this scanner helped me verify this [2500 plus PCs across the country]. Check out the links below.

http://www.microsoft.com/downloads/...1B-7BAB-41A2-843B-FAD838FE472E&displaylang=en

http://support.microsoft.com/default.aspx?kbid=824146

 

[theboyhope]

ZoeTheCat, you've completely missed my point: if you've removed Nachi, then how can you still have Welchia? They're the same thing.

Network Associates will never — afaik — detect Welchia because that is not what it thinks the virus is called.

I've had no trouble with Network Associates failing to remove this virus, but at least you're up and running with Sophos now, eh.

 

[zoeythecat]

Theboy,

I'm not missing your point. You are missing my point. We have workstations that had both the WELCHIA and the NACHI. This is why we had to revisit several workstations. MCAFEE detects this virus as the NACHI but does not clean this from the WELCHIA. Symantec's NORTON program detects the WELCHIA but not the NACHI. Therefore, to clean our workstations we needed to run both programs (STINGER from MCAFEE and a removal utility from SYMANTEC). WE have a SOPHOS antivirus program that detects both. They obviosly are not the same virus. If you do a search on Network Associates website (

http://www.nai.com)

for the Welchia the search comes back stating this is the NACHI worm but their virus scanner does not detect the WELCHIA worm. Sorry, but I have tested this in our environment and know this for a fact.

Hope this makes it clear to you?

Kaicolo,

Thanks for your reply. We do have a sniffer on our network now that gives us reports on what workstations have been patched with the MS03-026, MS03-007, MS03-039 and also tells us what workstations are infected with the NACHI or WELCHIA worms. Saved us a lot of leg work second time around.

 

[theboyhope]

Clear as mud.

 

[ianbla]

It is like being back in a schoolyard.
Fight! Fight Fight!

Now kiss and make up

 

[theboyhope]

Ah, I don't mean to be grouchy.

I just really don't get how you can have both Welchia and Nachi when they're two aliases for the same virus. Anybody else wanna take a shot at explaining that to me?

 

[SteveTheGeek]

From what I've seen, some antivirus apps detect */system32/wins/svchost.exe as infected, and some do not - it is simply a copied version of a tftp service, so its location is suspicious, but in and of itself it is a legitimate file. Also, I found that McAfee was unable to clean/delete/whatever that file as it was opened as a service and I had to stop the service first. Either McAfee was unable to automatically terminate the process and Symantec was, or something similar to that probably happened. It sounds like that's the difference between Symantec and McAfee here, and the Nachi/Welchia pseudonyms are just adding to the confusion. Nachi=Welchia, per both Symantec and McAfee.

"Also known as" from Symantec's website:
W32.Welchia.worm [Symantec], W32/Nachi.worm [McAfee], WORM_MSBLAST.D [Trend], Lovsan.D [F-Secure], W32/Nachi-A [Sophos], Win32.Nachi.A [CAI], Worm.Win32.Welchia [KasperskyAV]

-Steve

 

[theboyhope]

Hmm; I've had cases of the service still being listed until reboot even though they were removed but I've never had it fail to clean.

Still, there're lots of independently minded machines out there doing things their own way.

 

[SteveTheGeek]

I know what you mean, this is the first time that my McAfee client couldn't delete an "open" executable. No biggie stopping the service and then killing it, though. *shrug*
-Steve