Skip to Content
Home
Maps
Calendar
Site Index / Search
Directory
  St. Edward's University

Computer Help
Virus Alerts - W32.Welchia.Worm
Faculty and Staff Information
Student Information
Computer Competency
Computer Training
e-mail
Hardware & Software support
How Do I?
Internet Access
Technical Acquistions
Viruses, Worms & Spyware
 
Computer Help
Information Technology

W32.Welchia.Worm is a worm that exploits multiple vulnerabilities, including:
The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit.

To protect against this worm you need to run the Critical Updates from Microsoft Windows Update.
To update Critial Windows patches:

  1. Close all open applications.
  2. Click on the Start button and go to All Programs and select Windows
    Update.
  3. In the middle of the Microsoft Windows Update screen click on Scan for
    Updates.
  4. Pick Updates to install from the left frame. Click in the box to the
    left of Critical Updates and Service Packs.
  5. Click on Review and install updates.
  6. On the Total Selected Updates page, click on Install Now.
  7. On the License Agreement dialog box click on Accept.
  8. Windows will then download and install the updates. This may take several minutes depending on the number of updates being installed. You may be prompted to Restart your computer when the updates are
    installed.
  9. Please repeat the above steps until the Windows Update page shows that there are zero "Critical Updates and Service Packs" left.

Please call the Help Desk at 448-8443 if you need assistance with this process

Removal Tool

I. Download the tool FixWelche.exe

NOTE: You need administrative rights to run this tool on Windows 2000, or Windows XP.

Save the file to a convenient location, such as your downloads folder or the Windows Desktop (or removable media that is known to be uninfected, if possible).

II. Close all the running programs before running the tool.
If you are running Windows XP, then disable System Restore. Disabling the System Restore Utility (Windows XP Users)

1. Right click the My Computer icon on the Desktop and click on Properties.
2. Click on the System Restore tab.
3. Put a check mark next to 'Turn off System Restore on All Drives'.


4. Click the 'OK' button.
5. You will be prompted to restart the computer. Click Yes.

Note: To re-enable the Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

CAUTION: If you are running Windows XP, we strongly recommend that you do not skip this step. The removal procedure may be unsuccessful if Windows XP System Restore is not disabled, because Windows prevents outside programs from modifying System Restore.


III. Double-click the FixWelch.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.

NOTE: If, when running the tool, you see a message that the tool was not able to remove one or more files, run the tool in Safe mode. Shut down the computer, turn off the power, and wait 30 seconds. Restart the computer in Safe mode and run the tool again. All the Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions, read the document "How to start the computer in Safe Mode."


IV. Restart the computer.
Run the removal tool again to ensure that the system is clean.
If you are running Windows XP, then re-enable System Restore.

VI. Update your virus definitions to make sure that you are using the most current virus definitions
 
St. Edward's University Logo St. Edward's University
3001 South Congress Avenue
Austin, Texas 78704
512-448-8400		 Contact: helpline@stedwards.edu
Updated: 08/12/2004
© 2003, St. Edward's University