AN RPC "good" worm that claims it will fix the "bad" Blaster worm poses a real threat to computer systems, it has emerged. Dualism aside, a worm is a worm. The RPC worm Welchia tries to infect a computer and issue a patch against the DCOM RPC vulnerability. It then apparently removes itself from the computer, but virus experts say any worm lacks merit.
Ken Dunham, malicious code intelligence manager at iDefense, told the INQUIRER: "Welchia doesn't attempt to remove itself from an infected computer until the year 2004. This may be an attempt for the worm to spread in the wild, patch vulnerable computers, until most computers successfully update against the RPC vulnerability exploited by DCOM RPC based worms." He says that Welchia creates dllhost.exe and svchost.exe in the WINNTSystem32Wins directory and opens port 707 on the infected computer. Monitoring TCP ports 707 and 135 may help identify the presence of malicious code related to this worm.
He advises folk should update against the DCOM RPC vulnerability as fast as possible.
Source:
http://www.theinquirer.net/?article=11100
Hybrid Mode
