On Thu, 18 Dec 2003 21:45:10 -0500, NoneOfBusiness
<NoneofBusiness@nob.com> wrote:
quote:

>How would w32.welchia infect a machine behind this cable/dsl router?
>The reason i ask is that i installed Windows XP from scratch, ran
>windowsupdate to get all patches and then discovered i had been
>infected sometime during the installation of said patches? Is it
>possible that something on Windowsupdate did it? Thats a disturbing
>thought and i am not quite sure how it could be done knowing how
>welchia works but it was my understanding that welchia would not be
>able to get to a NAT'ted machine behind the router.
>
>
>By the way this router is configured straight out of the box. No port
>forwarding, nothing, just the default rule sets.
>
>TIA



Does anyone have any thoughts on this? Its kind of disturbing that
this virus was able to get through.

[ Post a follow-up to this message ]

In article <5gkjuv4g9nds2b1js3nkbcnprcbhfk7tfm@4ax.com>,
NoneofBusiness@nob.com says...
quote:

> On Thu, 18 Dec 2003 21:45:10 -0500, NoneOfBusiness
> <NoneofBusiness@nob.com> wrote:
> 
>
> Does anyone have any thoughts on this? Its kind of disturbing that
> this virus was able to get through.


Sure, there are several ways:

1) You have another machine that's currently infected on the same
network

2) You have port forwarding enabled to the machine

3) You used the DMZ port, which is like not having a router

4) Your source files are corrupted

5) You didn't get the patch from the real Microsoft Update site

Here is how it works:

W32.Welchia.Worm is a worm that exploits multiple vulnerabilities,
including:

* The DCOM RPC vulnerability (described in Microsoft Security Bulletin
MS03-026) using TCP port 135. The worm specifically targets Windows XP
machines using this exploit.

* The WebDav vulnerability (described in Microsoft Security Bulletin
MS03-007) using TCP port 80. The worm specifically targets machines
running Microsoft IIS 5.0 using this exploit. As coded in this worm,
this exploit will impact Windows 2000 systems and may impact Windows
NT/XP systems.

http://securityresponse.symantec.co...32.welchia.worm
.html

My guess is that you didn't rid yourself of it before you started the
new install.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

[ Post a follow-up to this message ]

On Wed, 24 Dec 2003 18:18:47 GMT, Leythos <void@nowhere.com> wrote:
quote:

>In article <5gkjuv4g9nds2b1js3nkbcnprcbhfk7tfm@4ax.com>,
>NoneofBusiness@nob.com says... 
>
>Sure, there are several ways:
>
>1) You have another machine that's currently infected on the same
>network
>
>2) You have port forwarding enabled to the machine
>
>3) You used the DMZ port, which is like not having a router
>
>4) Your source files are corrupted
>
>5) You didn't get the patch from the real Microsoft Update site
>
>Here is how it works:
>
>W32.Welchia.Worm is a worm that exploits multiple vulnerabilities,
>including:
>
>* The DCOM RPC vulnerability (described in Microsoft Security Bulletin
>MS03-026) using TCP port 135. The worm specifically targets Windows XP
>machines using this exploit.
>
>* The WebDav vulnerability (described in Microsoft Security Bulletin
>MS03-007) using TCP port 80. The worm specifically targets machines
>running Microsoft IIS 5.0 using this exploit. As coded in this worm,
>this exploit will impact Windows 2000 systems and may impact Windows
>NT/XP systems.
>
>http://securityresponse.symantec.co...32.welchia.worm
>.html
>
>My guess is that you didn't rid yourself of it before you started the
>new install.
>
>
>--

Thats just it though. This was a brand new hard drive for a pc. I had
just loaded Windows XP pro and was patching. At the time of infection,
no other machines were even powered on behind this router, only the
one connected to windowsupdate.

There was no port forwarding turned on for the router,  and i did not
use the DMZ port. I verified all of this after the fact.  If i did not
get the patch from the real MS site then i do not know how or where it
came from.

[ Post a follow-up to this message ]

In article <uppsuvg4m51pt8n79cctkp7lif8gucqg9f@4ax.com>,
NoneofBusiness@nob.com says...
quote:

> On Wed, 24 Dec 2003 18:18:47 GMT, Leythos <void@nowhere.com> wrote:
> 
> Thats just it though. This was a brand new hard drive for a pc. I had
> just loaded Windows XP pro and was patching. At the time of infection,
> no other machines were even powered on behind this router, only the
> one connected to windowsupdate.
>
> There was no port forwarding turned on for the router,  and i did not
> use the DMZ port. I verified all of this after the fact.  If i did not
> get the patch from the real MS site then i do not know how or where it
> came from.


If you are sure the machine was infected, and you are sure that it
didn't happen as listed above, and your copy of MS Windows XP is a
legit/legal copy, and you were behind the router when you were doing the
update (and NOTHING ELSE), then I would download the latest firmware for
the router, flash it, reboot it, and try again - if that fails you
really need to look hard at your internal network - something has to be
wrong.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

[ Post a follow-up to this message ]

On Sun, 28 Dec 2003 13:15:46 GMT, Leythos <void@nowhere.com> wrote:
quote:

>In article <uppsuvg4m51pt8n79cctkp7lif8gucqg9f@4ax.com>,
>NoneofBusiness@nob.com says... 
>
>If you are sure the machine was infected, and you are sure that it
>didn't happen as listed above, and your copy of MS Windows XP is a
>legit/legal copy, and you were behind the router when you were doing the
>update (and NOTHING ELSE), then I would download the latest firmware for
>the router, flash it, reboot it, and try again - if that fails you
>really need to look hard at your internal network - something has to be
>wrong.
>
>
>--

Thanks for your response. The first thing i did after installing the
router a few months ago was upgrade the firmware.  The copy of XP is a
legit copy. I guess i can double check the settings again but i have
yet to find anything that could account for this. It is a mystery.

[ Post a follow-up to this message ]