Attempted Intrusion "Welchia_ICMP_Scan" from your machine against





I have attempted to locate what the problem is but have been unable to find it.

I have ran online virus scans, spybot, stinger, adaware etc.



Have ran the Welchia removal tools.



Cannot find any reference to this at all. Nortons Firewall is picking up the

intrusion. NIS 2004

WinXP Operating System.

Greetings --



Are you sure of the wording of that message?  Other than the

phrase "from your machine against," it sounds like NIS is warning you

of an attack on your machine.



Have you checked Task Manager to see if any of the Svchost.exe

incidents is using an unusually high number of CPU cycles?  (Welchia

highjacks Svchost to send out its payload, partially because Svchost

would most likely already have been given permission to connect to the

Internet.)



Have you tried Symantec's Welchia Removal tool, just on general

principles?

http://securityresponse.symantec.com...oval.tool.html





Bruce Chambers



--

Help us help you:

http://dts-l.org/goodpost.htm

http://www.catb.org/~esr/faqs/smart-questions.html





You can have peace.  Or you can have freedom.  Don't ever count on

having both at once. -- RAH





"Kaylene aka Taurarian" <taurarian@REMOVE_CAPS_hotmail.com> wrote in

message news:eDPZUKKFEHA.2540@TK2MSFTNGP12.phx.gbl...

> Attempted Intrusion "Welchia_ICMP_Scan" from your machine against

>

>

> I have attempted to locate what the problem is but have been unable

> to find it.

> I have ran online virus scans, spybot, stinger, adaware etc.

>

> Have ran the Welchia removal tools.

>

> Cannot find any reference to this at all. Nortons Firewall is

> picking up the

> intrusion. NIS 2004

> WinXP Operating System.

>

>

I've had this happen twice, once yesterday, once today. I'm using Norton Personal Firewall 2003, Windows ME. Have also run all scans, nothing found. Symantec has no information. I found this thread via Google. 



I can tell you that the attacked IP in both incidents I've had was a Yahoo IP, and that after each incident I was disconnected from Yahoo Messenger.



Firewall log entry:



Intrusion: Welchia_ICMP_Scan.

Intruder: (MY COMPUTER NAME AND IP)

Risk Level: High.

Protocol: ICMP.

Attacked IP: xxx.xxx.xxx.xxx.

Details: Attempted Intrusion "Welchia_ICMP_Scan" from your machine against xxx.xxx.xxx.xxx was detected and blocked.



It *looks* to me (not a puter wizard) like the Welchia trojan infected me and is using me to attack Yahoo. But all virus scans etc. turned up nothing. Also, I checked with DShield and my IP address isn't registered as a bad guy. 



ANYBODY HAVE AN IDEA ABOUT THIS?

Thanks,

Deirdre






	
Quote:
	

	

		

			
				Originally posted by Kaylene aka Taurarian 

Attempted Intrusion "Welchia_ICMP_Scan" from your machine against





I have attempted to locate what the problem is but have been unable to find it.

I have ran online virus scans, spybot, stinger, adaware etc.



Have ran the Welchia removal tools.



Cannot find any reference to this at all. Nortons Firewall is picking up the

intrusion. NIS 2004

WinXP Operating System. 
			
		
	
	

I have just started experiencing exactly the same thing over the last 48 hours. NIS is telling me about the intrusion (and blocking it)   



Like others, I found this link through Googgle   (the only link available)

I have just started experiencing exactly the same thing over the last 48 hours. NIS is telling me about the intrusion (and blocking it)   



Like others, I found this link through Googgle   (the only link available)

Hi Bruce, it was my machine allegedly doing the

attacking. First thing I checked was the Task Manager.

Use the Welchia removal tool etc.

On line scans from different anti virus companies etc.

Everything came up clean.



Tracked it down to a false intrusion report "keep

connection alive" was the culprit. It was pinging sites

in my favourites and was being interpreted as an attack.



Only happened after a live update on the Norton's site.



Kaylene



>-----Original Message-----

>Greetings --

>

>    Are you sure of the wording of that message?  Other

than the

>phrase "from your machine against," it sounds like NIS

is warning you

>of an attack on your machine.

>

>    Have you checked Task Manager to see if any of the

Svchost.exe

>incidents is using an unusually high number of CPU

cycles?  (Welchia

>highjacks Svchost to send out its payload, partially

because Svchost

>would most likely already have been given permission to

connect to the

>Internet.)

>

>    Have you tried Symantec's Welchia Removal tool, just

on general

>principles?

>http://securityresponse.symantec.com...er/venc/data/w

32.welchia.worm.removal.tool.html

>

>

>Bruce Chambers

>

>--

>Help us help you:

>http://dts-l.org/goodpost.htm

>http://www.catb.org/~esr/faqs/smart-questions.html

>

>

>You can have peace.  Or you can have freedom.  Don't

ever count on

>having both at once. -- RAH

>

>

>"Kaylene aka Taurarian"

<taurarian@REMOVE_CAPS_hotmail.com> wrote in[color=blue]

>message news:eDPZUKKFEHA.2540@TK2MSFTNGP12.phx.gbl... 

machine against[color=blue] 

have been unable[color=blue] 

adaware etc.[color=blue] 

Firewall is 

>

>

>.

>

At least I wasn't the only one then - started after a

recent update from Nortons Live Scan.

My problem was the "Keep connection alive" pinging the

sites in my favorites and being reported as an intrusion.

Everything came up clean with the scans, online virus

scans etc, removal tools - nothing came up. Everything

was clean.



>-----Original Message-----

>

>I have just started experiencing exactly the same thing

over the last 48

>hours. NIS is telling me about the intrusion (and

blocking it)

>

>Like others, I found this link through Googgle   (the

only link

>available)

>

>

>

>--

>joffa

>---------------------------------------------------------

---------------

>Posted via http://www.mcse.ms

>---------------------------------------------------------

---------------

>View this thread: http://www.mcse.ms/message515997.html

>

>.

>

I checked, and my "Connection Keep Alive" has NOT been enabled. Unless it's been doing it on the sly, this problem is stemming from something else. I am curious to know if the others with this problem had "Connection Keep Alive" enabled or disabled during this time.

Deirdre




	
Quote:
	

	

		

			
				Originally posted by Taurarian 

At least I wasn't the only one then - started after a

recent update from Nortons Live Scan.

My problem was the "Keep connection alive" pinging the

sites in my favorites and being reported as an intrusion.

Everything came up clean with the scans, online virus

scans etc, removal tools - nothing came up. Everything

was clean.



>-----Original Message-----

>

>I have just started experiencing exactly the same thing

over the last 48

>hours. NIS is telling me about the intrusion (and

blocking it)

>

>Like others, I found this link through Googgle   (the

only link

>available)

>

>

>

>--

>joffa

>---------------------------------------------------------

---------------

>Posted via http://www.mcse.ms

>---------------------------------------------------------

---------------

>View this thread: http://www.mcse.ms/message515997.html

>

>.

> 
			
		
	
	

Deirdre

Your situation sounds different from mine as I was never

disconnected during the attacks and the attacks were

constant, have you tried the symantec removal tool

mentioned in Bruce's posting? Wouldn't hurt to check out

the symantec site about the Welchia worm so you can check

the registry etc. to see if you are in fact clean.



Did you do an online virus scan?



Wouldn't hurt to look for malaware/spyware etc - like

spybot seek & destroy for one (don't have links here). I

even tried Stinger!! - I was desperate.









>-----Original Message-----

>

>I've had this happen twice, once yesterday, once today.

I'm using Norton

>Personal Firewall 2003, Windows ME. Have also run all

scans, nothing

>found. Symantec has no information. I found this thread

via Google.

>

>I can tell you that the attacked IP in both incidents

I've had was a

>Yahoo IP, and that after each incident I was

disconnected from Yahoo

>Messenger.

>

>Firewall log entry:

>

>Intrusion: Welchia_ICMP_Scan.

>Intruder: (MY COMPUTER NAME AND IP)

>Risk Level: High.

>Protocol: ICMP.

>Attacked IP: xxx.xxx.xxx.xxx.

>Details: Attempted Intrusion "Welchia_ICMP_Scan" from

your machine

>against xxx.xxx.xxx.xxx was detected and blocked.

>

>It *looks* to me (not a puter wizard) like the Welchia

trojan infected

>me and is using me to attack Yahoo. But all virus scans

etc. turned up

>nothing. Also, I checked with DShield and my IP address

isn't[color=blue]

>registered as a bad guy.

>

>ANYBODY HAVE AN IDEA ABOUT THIS?

>Thanks,

>Deirdre

>

>

>Kaylene aka Taurarian wrote: 

machine against[color=blue] 

have been unable[color=blue] 

adaware etc.[color=blue] 

Firewall is picking 

>

>

>

>--

>deirdre1952

>---------------------------------------------------------

---------------

>Posted via http://www.mcse.ms

>---------------------------------------------------------

---------------

>View this thread: http://www.mcse.ms/message515997.html

>

>.

>

I have been experiencing the same difficulties since 26Mar04. I cant prove it, but I believe the problem began after downloading the latest update for Office.



My antivirus and firewall protection is always as up to date as possibe (Norton/Symantec etc) and I have downloaded the Welchia removal tool as others have, but cannot kill the worm.



I noticed that  all the intruder attacks were from a specific IP address and reported this as "abuse" to BTOpenworld  4 days ago but they have not replied to my complaint.



What confuses me, is that Norton Personal Firewall statisics says I have not been attacked, but the Intrusion Detection log is recoding an attack every 2 seconds. 



I have tried enabling and also disabling Keep Connection Alive and I dont think this makes any difference.



Any advice would be welcome.