Novell Home

Battling Welchia on XP with ZfD 3.2

Novell Cool Solutions: Feature
By Keith Schneider

Digg This - Slashdot This

Posted: 17 Oct 2003
 

Recently I dealt with a site that was infected with the Welchia worm. Norton Anti-virus corporate edition was unable to remove it at the time, as long as Welchia was running, and the network was coming to its knees because of the ICMP traffic.

We discovered that removing the reg keys and bouncing the 2000 or XP machine shut Welchia down, so I used a ZfD 3.2 force run app object to push a batch file out and delete the reg keys, install the appropriate Microsoft hotfix and, in the case of XP, reboot after a delay.

We then ran desktop scans through the NAV CE primary server on all desktops.

EXAMPLE: Here is the XP batch file. Note that the patch EXE was renamed (not needed) and that the shutdown command works with XP only.

call "z:\WindowsXP blasterfix.exe" -u -f
shutdown -r -t 15

Here are the reg keys the app object deletes:

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcPatch]
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcPatch\Enum]
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcPatch\Security]
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcTftpd]
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcTftpd\Enum]
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcTftpd\Security]


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell