Like most people, we’ve been fighting the latest Windows worm at work for the last few days. We never got the Blaster worm that seemed to cause most people so much trouble. Instead, we were hit by Welchia (aka Nachi), a variant that was actually designed to clean up after Blaster. Welchia was designed to infect vulnerable computers and automatically download the patch from Microsoft. Instead, it just killed our network.
We’ve been installing the patch and cleaning off the worm with a program from Network Associates called Stinger since last Wednesday. This has been pretty effective, but there were still a few infected computers on the network. We tried using the “process of elimination” to find the infected machines by unplugging different parts of the network and waiting for our connection to improve. That proved pretty much impossible since there were several infected computers in different locations.
After fighting it this way for most of the day, I finally decided to do something different. I had played with a packet analyzer called Ethereal in the past and decided to give it another try. After a few minutes of downloading and installing I had it going. Within the first minute of capturing traffic I recieved over 6000 ICMP queries from only two computers. These two obviously had the worm. Two phone calls later these were patched and cleaned.
After that our network connection was almost perfect. I sat around and surfed the Internet for a while longer waiting for the connection to go down again. When it did, I captured another minute’s worth of data and quickly found two more infected computers.
Tomorrow morning when everyone gets back to work, I should be able to easily track down any remaining infected computers. After that everything should be back to normal on our network. All thanks to an Open Source program.
In case anyone’s curious, I did the same thing with my home computer that I do everytime a new WIndows virus or worm comes around. I smiled and laughed, because I’m running Linux…