Update: Beware Worms Carrying Gifts
You’re probably heard of the computer worm that is seemingly benign: W32.Welchia.Worm targets customers infected with the W32.Blaster.Worm, deletes it, attempts to download the patch from Microsoft’s Windows Update Web site to correct the hole that allowed the worm in the first place, installs the patch, and then reboots the computer. All very nice, on the surface. But then the worm checks for active machines to infect by sending an ICMP echo, or PING, which generates a lot of traffic. That’s where the problem starts.
Symantec says it’s been receiving reports of severe disruptions on the internal networks of large enterprises caused by ICMP flooding related to the propagation of the W32.Welchia.worm. (Read: large amounts of unnecessary traffic that slows networks to a crawl.) In some cases enterprise users have been unable to access critical network resources. ”Despite its original intent, the W32.Welchia.Worm is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm,” said Vincent Weafer, senior director, Symantec Security Response.
In large corporations it will take weeks, maybe months to install the original patch. With all this traffic on their networks, Symantec says, those patches can’t be installed. What to do if you’re infected with the W32.Welchia.Worm? Symantec has posted a removal tool. Use it. There’s no such thing as a nice worm.