Your web site had virus [Archive] - Singapore Web Hosting Talk

View Full Version : Your web site had virus

chin

20-08-2003, 16:29

The story goes like this :

One customer called up and said when he logged into to our Control Panel, his Norton Anti Virus (NAV) will detect a virus.

I did a check on our server end and nothing was wrong.

Today he called out again to said he will get that virus alert 'only' when he visit our sites.

BTW the virus is the famous w32.welchia.worm which affect winXP, 2000 PCs

Anyway I logged to his CP and me been using also XP does not have the same problem.

So what I suspect might be his XP pc already been infected somehow...

royong

20-08-2003, 21:39

This WELCHIA worm has been giving me a headache. Ask your customer to check

(a) his registry to see if these key exists
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\RpcPatch
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\RpcTftpd

(b) do a search on his pc to see if this file exists
%System%\wins\dllhost.exe

If he does, then he is WORMED !!!!

Do the following

1. Go to microsoft, download and patch using these 2 links
DCOM RPC vulnerability
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

WebDav vulnerability
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp

2. Once patched up, download the automated removal tool from Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

or if he prefers, he can do it manually...

Disable System Restore (Windows XP).
Update the virus definitions.
Restart the computer or end the Worm process.
Run a full system scan and delete all the files detected as W32.Welchia.Worm.
Delete the values from the registry.
Delete the Svchost.exe file.

Please take note -- the SVCHOST.EXE file is in the %System%\Wins folder -- there are legitimate SVCHOST.EXE file that resides in the %System%\System32 folder so be careful which one you delete.

As usual, you are advised to practise due dilligence and I bear no responsibility.

(I used the manual method the entire day to clear up close to 40 PCs on Windows 2000 - so that is a tried and tested way.)

chin

20-08-2003, 22:13

Yes , but I think been not so techncial inclined, the client will be having a hard way to follow all this instructions.

nevertheless he had told me he is going to reinstall his PCs agaon, I will called him tomorrow to find out hows the status.