الفايروسات الجديدة وطريقة العلاج والوقاية منها

When W32.Welchia.Worm is executed, it performs the following actions:

Copies itself to:

%System%\Wins\Dllhost.exe

NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Makes a copy of %System%\Dllcache\Tftpd.exe as %System%\Wins\svchost.exe.
NOTE: Tftpd is a legitimate program, which is not malicious, and therefore Symantec antivirus products will not detect it.

Adds the subkeys:
RpcPatch

and:
RpcTftpd
to the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Creates the following services:
Service Name: RpcTftpd
Service Display Name: Network Connections Sharing
Service Binary: %System%\wins\svchost.exe
This service will be set to start manually.
Service Name: RpcPatch
Service Display Name: WINS Client
Service Binary: %System%\wins\dllhost.exe
This service will be set to start automatically.
Ends the process, Msblast, and deletes the %System%\msblast.exe file, which W32.Blaster.Worm drops.
Selects the victim IP address in two different ways: The worm uses either A.B.0.0 from the infected machine's IP of A.B.C.D and counts up, or it will construct a random IP address based on some hard-coded addresses.
After selecting the start address, the worm counts up through a range of Class B-sized networks; for example, if the worm starts at A.B.0.0, it will count up to at least A.B.255.255.

Sends an ICMP echo request, or PING, to check whether the constructed IP address is an active machine on the network.

Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability.

Creates a remote shell on the vulnerable host that will reconnect to the attacking computer on a random TCP port, between 666 and 765, to receive instructions.

Launches the TFTP server on the attacking machine and instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe.

Checks the computer's operating system version, Service Pack number, and System Locale. It also attempts to connect to Microsoft's Windows Update and download the appropriate DCOM RPC vulnerability patch.

Once the update has been downloaded and executed, the worm will restart the computer so that the patch is installed.

Checks the computer's system date. If the year is 2004, the worm will disable and remove itself.


طريقة ازالته

بالرابط التالي

http://www.symantec.com/avcenter/FixWelch.exe


وهناك أيضا فايروس آخر يسمى
W32.Sobig.E@mm
وهو خطير أيضا

ويتم ازالة بالبرنامج التالي
http://securityresponse.symantec.com/avcenter/FixSbigE.exe

وكذلك
W32.Dumaru@mm

وبرنامج إزالته
http://www.symantec.com/avcenter/FxDumaru.exe
وأيضا
W32.Mimail.A@mm
وبرنامجه
http://www.symantec.com/avcenter/FxMimail.exe

وكذلك
Backdoor.Winshell.50

وبرنامج إزالته
http://www.symantec.com/avcenter/FixWinsh.exe

ملاحظة / نزل جميع البرامج للحمابة من هذه الفايروسات