Beware another worm loose on web !!!


Experienced member
Symantec Virus Warning....see extract of text from Symantec alert below..

Virus Warning! W32.Welchia.Worm - Category 4 Virus

This message is intended for customers who have not already protected themselves from the recent W32.Blaster.Worm.

Symantec has upgraded the W32.Welchia.Worm from a Level 2 to a Level 4 threat [On a scale of 1-5, 5 being highest].

The W32.Welchia.Worm targets customers infected with the W32.Blaster.Worm. Once on a system, W32.Welchia.Worm deletes msblast.exe (the W32.Blaster.Worm virus), attempts to download the patch from Microsoft's Windows Update Web site, installs the patch, and then reboots the computer. After the computer restarts the virus propagates through TCP port 135 on Windows XP and Windows 2000 machines that have not patched the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability.
Sobig-F worm

The most active one at the moment is the so called Sobig-F Worm. It really exploded in the last 24 hours. It spreads through email (I received a few hundred in the last 4 hours) and collects addresses from outlook express and the like, to spread itself further.

To automatically remove this virus from your system in case of infection there is a free cleaning program at

That is in case your own virus protection program did not take care of it already. I was lucky to had mine updated yesterday evening.

Best regards,
Anyone know why certain files keep getting deleted??
I know I also have the welchia virus but it wont shift!! very annoying..
Currently my graphics driver keeps getting removed, xp desktop theme and rarely my mouse driver.
Damb frustrating.. Norton does not detect anything abnormal... AVG doesnt detect anything. Have all patches etc.
But I can see it listed in my task manager. Followed all the instructions on how to get rid but no joy

Help needed but only till tuesday when i get me new all singin all dancin computer

Thanks in advance
It seems a bit strange that you have this and both AVG and Norton wont detect it. Are you upto date with the AVG download ? The reason I ask is that I have found AVG to be excellent. If you know you have the virus are you able to use an antivirus boot floppy ? I know that this allows removal of certain viruses without booting up Windows.

AVG already gets rid of the Sobig-F

Yeh tried all sorts its just frustrating that it wont be removed...
AVG was all upto date, thought id try norton same thing... just done there free on line virus scan and still nothing but ZA is still blocking it access to the net so at least ive caught the blighter this time.

After next tue wont be a problem but I'm intendin on having this as a back up machine in case the new one goes on me so I would like to have this ticketyboo before i put the dust cover on it

Thanks for the suggstion i'll just drop kick it and see what happens :LOL:
Are you on XP?

Sorry just noticed you are.
You must turn off System Restore before killing the worm.
Which application is Zonealarm asking to allow to access the internet ?

Just a reminder, you usually need to turn off system restore to tackle these things AND sometimes you MUST run the floppy removal software in "SAFE MODE". Why? because the virus is loaded along with windows drivers etc. These drivers are NOT loaded in safe mode and hence the virus is not loaded. Just a guide line, as mostly the damage is done and long gone...
NewtronB, why are you using two AV packages?
Look in the Quarantine folder to see if you have had the virus and it got removed..... There are bugs in Norton AV and sometimes it will report a virus on your machine, but actually it's only in the quarantine folder. Go there and delete all entries and try a re run of AV....
Nasty Bast****
Thanks all,
Only just got my machine to rune this morning and explorer would function properly so i could respond to you all last night.

Yes all of the above has been done, in safe mode and in normal mode, system restore is off.

I usually delete anything in the quarantine so that has not been an issue. I have had AVG and thought i'd get a second opinion and currently norton is running but not at the same time

Thank you all agian for your advice

... just reread your post CM i'll try the removal tool on the floppy only thing ive not tried.

got a lightening quick reply from one of there senior members telling me to repair or delete certain file but the software provided sorts that out for you.

Thanks for pointing this out i think it is worth a bookmark in anyones problem fixing folder


Can you tell us which application Zonealarm is asking to access the web as this may have an impact on solving your problem ?

something to do with the DCOM which am led to believe is the patch for the blaster... ZA's more info option tells me it is the welchia virus trying to access the net.

The attached is the running process's i have at the moment.. I was told that the svchost near the bottom of the list is the problem and when closing the last of them down the msblaster kicks in, but the msblaster does not show up when i search for the file to delete it manually.


  • task man.gif
    task man.gif
    43 KB · Views: 351

Try the following:

1) Ensure you are not connected to the internet

2) Set the date in your bios to January 30th 2004

3) Reboot

4) Shut down Zonealarm (this is important)

4) Run AVG complete scan

5) Shut down and reboot

6) reset the date to now

I know this sounds strange but I did this on a friends pc and it worked. Whist Zonealarm is running then AVG cannot disable the virus (I dont know why but it cant) also this worm is set to delete itself in Jan 2004 which just helps.

Good Luck