Some customers have reported seeing unusually high number of ICMP sessions in the NetScreen firewall session table. This is believed to cause by the variation of w32 blaster worm called Nachi worm (a.k.a., welchia worm).
In the low end devices such as, but not limited to, 5, 5XP, 5XT, 5GT, and 25, the session table could be easily fill up by the infected PC.
Measures should be taken by the users to block all of the ports used by the recent w32 worm virus, particularly TCP 135, UDP 69 and other ports listed by CERT Advisory from leaving and entering the perimeter network devices.
Desktop PCs should get the latest update from their respective vendors to clean and prevent the PCs from being infected.
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
Policy can be added on the firewall to denied ICMP packets or at least the ICMP echo request from leaving the firewall and entering to the internal network.
Enforce perimeter network device filtering such as on the routers and firewall as per RFC 2267 recommendation.
*****************************
Excerpt from Internet Storm Center
*****************************
Over the last few hours, sensors detected a remarkable increase in ICMP traffic. At this point, we assume that the traffic is linked to the 'Nachi' worm: http://vil.nai.com/vil/content/v_100559.htm The worm is also known as 'Welchia' (http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html)
While the investigation is still in progress, we did identify so far the following characteristics:
- some of the traffic is spoofed
- the data content is all '170' (0xAA)
- ICMP echo requests (type 8, code 0)
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
Virus Information from ISS
http://xforce.iss.net/xforce/alerts/id/150
http://isc.sans.org/diary.html?date=2003-08-18
Virus Information
Virus Name Risk Assessment
W32/Nachi.worm Corporate User : Medium
Home User : Medium
Virus Information
Discovery Date: 08/18/2003
Origin: Unknown
Length: 10,240 bytes (UPXed)
Type: Virus
SubType: Internet Worm
Minimum DAT:
Release Date: 4286
08/18/2003
Minimum Engine: 4.1.60
Description Added: 08/18/2003
Description Modified: 08/18/2003 10:53 AM (PT)
Virus Characteristics:
This detection is for another virus that exploits the MS03-026 vulnerability.
It is not related to the W32/Lovsan.worm.d variant described here.
The virus is detected by the current Daily DATs as Exploit-DcomRpc virus (with scanning of compressed files enabled).
Intentions of the worm
This worm tries spreads by exploiting a hole in Microsoft Windows. It instructs a remote target system to download and execute the worm from the infected host. Once running, the worm terminates and deletes the W32/Lovsan.worm.a process and applies the Microsoft patch to prevent other threats from infecting the system through the same hole. When the system clock reaches Jan 1, 2004, the worm will delete itself upon execution.<. /P>
Symptoms
large volumes of ICMP traffic in network
existence of the files and Windows services detailed above
Method Of Infection
This worm spreads by exploiting a vulnerability in Microsoft Windows. It scans the local subnet (port 135) for target machines. It sends an ICMP ping to potential victim machines, and upon a reply, sends the exploit data. A remote shell is created on the target system on TCP port 707. Victim machines are instructed to download the worm via TFTP.
Irrespective of anti-virus detection, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine will send packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine.
By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, in-turn solving these symptoms. It is very important that the machine is rebooted after the patch has been installed.
*************************************************************************************************************************************************************
NetScreen is not affiliated with Internet Storm Center, and is not responsible for the content on any of their sites. The above information is provided only as a courtesy to our common customers.
*************************************************************************************************************************************************************
.