For the past month or so my firewall (ZA, free version) has been logging excessive and continuous Ping Echo Request alerts, at the rate of two to four per minute. The source IP numbers vary, except that the first two digits are always the same, and are the same as my ISP number. No one else that I know is being pinged this excessively. Most people I talk to only get a few ping alerts. My friend who runs Windows XP suggests that I have somehow "invited" or "enabled" this incessant pinging, probably accidentally, although how or why he has no clue. I have no clue either. He also claims that his firewall logs no pings whatsoever. My question, and I apologize if my exreme ignorance of technical matters is in evidence here, is this: Is Win Me open to incoming ICMP messages by default, or does it have to be somehow "enabled" to receive them? Is there a way to block ICMP messages in the system itself, or do I have to depend on my firewall to constantly block them? I am not so much concerned about the pings, which I realize may not be threatening at all, as I am about the fact that since Zone Alarm has been logging all of these ping echo requests I am not seeing the other alerts I used to get, like port scans and internet background noise. The only alerts I get are the pings, and they are non-stop. Since this began I have uninstalled Zone Alarm and re-downloaded it, but things are the same. All virus scans are fine, and my AV is always updated; PC Pitstop gives me only the usual "increase Memory" suggestion; and I routinely clean out any spware or adware that my Spy-bot detects. The system seems to be running fine in every other respect. I would be grateful for any insights. Thanks.

Go to http://www.grc.com/ and do the "Shields UP" scan and other scans there. Check out the "free stuff" area. Another good series of firewall scans are at http://www.pcflank.com/ These scans will alert you to any problem you might have in how you have set Zone Alarm up. Most pings are usually from your ISP, and are quite normal.

You have nothing to worry about, windows ME not affected. W32.Welchia.Worm does the following: Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer. Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic. Attempts to remove W32.Blaster.Worm.

August 19, 2003 'Friendly' Welchia Worm Wreaking Havoc By Ryan Naraine It may be a friendly worm with good intentions but the W32.Welchia.Worm squirming through corporate networks has become a nightmare for IT administrators already struggling to clean up last week's "Blaster" virus. What's worse, security experts say, is that the Welchia worm is using two separate vulnerabilities to infect and wreak havoc on networks around the world. In addition to sneaking in via the DCOM RPC vulnerability in some versions of Microsoft's Windows operating systems, Welchia propagates through TCP port 80 on Microsoft IIS 5.0 systems that have not patched the Microsoft Windows WebDav (ntdll.dll) Buffer Overflow Vulnerability. Microsoft first released a patch for the WebDav vulnerability in March (updated in May this year) but unpatched systems are still at risk of infection. Vincent Weafer, senior director of Symantec's Security Response unit, described the Welchia copycat as a "significant threat" for enterprises still struggling to clean up from Blaster. "This worm, even though it pretends to be friendly, is even more problematic because of the propagation technique it uses. And, even if you have patched against the DCOM RPC vulnerability, you are still at risk because it uses another avenue to infect," Weafer told internetnews.com. Welchia looks for the existence of the Msblast.exe file dropped by the W32.Blaster.Worm and deletes it from an affected system, is capable of crippling a large corporate network even if the DCOM/RPC patch is deployed. "In some cases enterprise users have been unable to access critical network resources. This is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm," Weafer added. He said Welchia's propagation technique was "swamping network systems with traffic and causing denial-of-service to critical servers within organizations." Symantec on Tuesday upgraded the W32.Welchia.Worm from a Level 2 to a Level 4 threat and reported "severe disruptions" on the internal networks of large enterprises caused by ICMP flooding. According to Weafer, after Welchia deletes the msblast.exe virus, it then attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install the patch and then reboot the computer. It is congesting networks because it checks for active machines to infect by sending an ICMP echo (ping) which may result in significantly increased ICMP traffic. ICMP is a TCP/IP protocol used to send Internet messages. "Inside large organizations, even if the perimeter is patched, this worm can still cause problems on the inside. This is very very difficult for admins," he explained. Once the worm is identified and quarantined, he said system administrators would have to go from desktop to desktop to manually disinfect machines. "When a network is being accessed by home users or users with laptops, it makes it even more difficult form them to contain the spread of the worm," Weafer added. Typically, he said enterprises would protect against the worm by securing the edge of the network first and then move on to critical servers. Once those areas are patched, he said an IT admin would move on to protecting desktops. That's where it is proving to be a burden, according to Weafer, especially in large corporate environments without thousands of workstations. It's quite a burden to locate machines and get patches deployed. And, because the vulnerability affects a host of different operating systems, even keeping track of all that becomes a nightmare. In some organizations, it will take months to completely patch the network," he declared. Microsoft, meanwhile, defended its response to the latest worm exploits. A spokesman for said the patch for the worm and its variants has been available for over a month, and was updated last week, while urging companies to stay vigilant about updating their systems and patches regularly. As for whether two exploits of Windows operating system versions in less than a week was a black eye for Microsoft's Trustworthy Computing, a Microsoft analyst said it was fair to raise the question. Mike Cherry, lead analyst for operating systems at technology and strategy consulting firm Directions on Microsoft (which is not affiliated with the software company), said "it's always fair to monitor the company's progress on Trustworthy Computing, Microsoft's effort to improve the security of its products. "I think these setbacks are raising questions in the minds of users, but I think you also have to give [Microsoft] some credit" for their progress in security, he added. "If you look back a year ago, when the Code Red [virus] happened, their amount of information and response was worse. So they are responding better, making improvements, but I think you honestly have to say they have a ways to go." Cherry said what he looks for is continued progress from the world's largest software company, and whether all of Microsoft's business units are working in tandem on security responses.

Thank you very much for the responses.