w32.Welchia.worm

w32.Welchia.worm

Post by azam » Tue, 16 Sep 2003 00:52:41



Hello,

we are having Windows 2000 and Exchange 5.5. today i run
the FixWelchia (W32.Welchia.Worm) on the server and found
the virus and its removed succesfully. the reports show as
follows.

The service "RpcPatch" is viral. It is deleted.
The service "RpcTftpd" is viral. It is deleted.
The tool has deleted the viral file "C:\WINNT\system32
\wins\DLLHOST.EXE".
The file "C:\WINNT\System32\wins\svchost.exe" is deleted.
W32.Welchia.Worm has been successfully removed
from your computer!

Here is the report:

The total number of the scanned files: 10454
The number of deleted files: 2
The number of repaired files: 0
The number of viral processes terminated: 0
The number of viral services deleted: 2
The number of registry entries fixed: 0

is there any problem with deleting the said above files
from exchanger server.

is anybody having idea and solution.
thanks
azam

 
 
 

w32.Welchia.worm

Post by Al Smit » Tue, 16 Sep 2003 02:20:03


the files it deleted are OK to delete.. the dllhost one is the actual
piece that infects other computers... it looks for the svchost that is
infected... better run the tool on any other pc's in your network as i'm
sure they are infected....

> Hello,

> we are having Windows 2000 and Exchange 5.5. today i run
> the FixWelchia (W32.Welchia.Worm) on the server and found
> the virus and its removed succesfully. the reports show as
> follows.

> The service "RpcPatch" is viral. It is deleted.
> The service "RpcTftpd" is viral. It is deleted.
> The tool has deleted the viral file "C:\WINNT\system32
> \wins\DLLHOST.EXE".
> The file "C:\WINNT\System32\wins\svchost.exe" is deleted.
> W32.Welchia.Worm has been successfully removed
> from your computer!

> Here is the report:

> The total number of the scanned files: 10454
> The number of deleted files: 2
> The number of repaired files: 0
> The number of viral processes terminated: 0
> The number of viral services deleted: 2
> The number of registry entries fixed: 0

> is there any problem with deleting the said above files
> from exchanger server.

> is anybody having idea and solution.
> thanks
> azam


 
 
 

w32.Welchia.worm

Post by Gary William » Tue, 16 Sep 2003 02:21:48


:Hello,
:
:we are having Windows 2000 and Exchange 5.5. today i run
:the FixWelchia (W32.Welchia.Worm) on the server and found
:the virus and its removed succesfully. the reports show as
:follows.
:
:The service "RpcPatch" is viral. It is deleted.
:The service "RpcTftpd" is viral. It is deleted.
:The tool has deleted the viral file "C:\WINNT\system32
:\wins\DLLHOST.EXE".
:The file "C:\WINNT\System32\wins\svchost.exe" is deleted.
:W32.Welchia.Worm has been successfully removed
:from your computer!
:
:Here is the report:
:
:The total number of the scanned files: 10454
:The number of deleted files: 2
:The number of repaired files: 0
:The number of viral processes terminated: 0
:The number of viral services deleted: 2
:The number of registry entries fixed: 0
:
:is there any problem with deleting the said above files
:from exchanger server.
:
:is anybody having idea and solution.
:thanks

DLLHOST.EXE and SVCHOST.EXE can be deleted from the %SYSTEMROOT%\SYSTEM32\WINS
folder ONLY. Anywhere will cause problems.

See http://www.sophos.com/virusinfo/analyses/w32nachia.html for more info

Regards,

--
Gary Williams

 
 
 

w32.Welchia.worm

Post by Wilson Samue » Tue, 16 Sep 2003 19:33:16


Nah Azam,

Nothing will go wrong...

Enjoy!

Quote:>-----Original Message-----
>Hello,

>we are having Windows 2000 and Exchange 5.5. today i run
>the FixWelchia (W32.Welchia.Worm) on the server and found
>the virus and its removed succesfully. the reports show
as
>follows.

>The service "RpcPatch" is viral. It is deleted.
>The service "RpcTftpd" is viral. It is deleted.
>The tool has deleted the viral file "C:\WINNT\system32
>\wins\DLLHOST.EXE".
>The file "C:\WINNT\System32\wins\svchost.exe" is deleted.
>W32.Welchia.Worm has been successfully removed
>from your computer!

>Here is the report:

>The total number of the scanned files: 10454
>The number of deleted files: 2
>The number of repaired files: 0
>The number of viral processes terminated: 0
>The number of viral services deleted: 2
>The number of registry entries fixed: 0

>is there any problem with deleting the said above files
>from exchanger server.

>is anybody having idea and solution.
>thanks
>azam
>.

 
 
 

1. sending emails to old address with the w32.sobig worm

I had to do a full recovery of one of my servers - after
getting the server up and running I added my exchange
server 5.5 to the system after getting that up and
running - I named new server same as old one then dcpromo
the old system renamed it changed the ip and then add the
new server back on the network.  All is running fine
except some real old and "deleted" email address are
being sent the w32.sobig worm(from the original sender).  
running virus software does not find anything. I have
also run the worm fix and found nothing.  Where could the
server find these addresses, and is this the behavior of
the w32.sobig?
Thanks,
Jim

2. Read appoinments from the inboxes of the users

3. Being BOMBARDED by W32.SirCam worm

4. Damaged Inbox Recovery

5. w32.sobig virus

6. Unread items in subfolders in OWA 2000

7. w32 not valid

8. Exchang or Outlook Forms in public folders

9. Remove W32.Sobig.F virus

10. W32/Parite-B Virus

11. Product Support Services - Moderate Security Alert - New Virus: W32.Gibe@mm

12. Product Support Services - Moderate Security Alert - New Virus:w32.hllp.sharpei@mm.html

13. W32.Badtrans@mm.enc and Norton Corporate AV 7.6