My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Welchia.A

HIGH
LOW
10240 (packed with upx and patched)
(W32.Welchia.Worm, W32/Nachi.worm, WORM_MSBLAST.D)

Symptoms

Presence of dllhost.exe and svchost.exe files in %system32%\wins directory (e.g. C:\Windows\System32\Wins\DllHost.exe).

Presence of two services: Network Connections Sharing with the path to executable: %system32%\wins\svchost.exe and WINS Client with the path to executable: %system32%\wins\dllhost.exe.

Removal instructions:

  • Automatic removal method:

    The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

    Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

    The BitDefender Antiwelchia-en.exe tool does the following:
  • it detects all the known Win32.Worm.Welchia versions;

  • it kills the process from memory;

  • it deletes the files infected with Win32.Worm.Welchia;

  • it repairs the Windows registry.


  • You may also need to restore the affected files.

  • Manual removal method:

    First apply the patches for the two vulnerabilities used by this worm:

    1. For DCOM RPC, download and install the patch released by Microsoft: MS03-026 (at the end of the page).


    2. For WebDav, download and install the patch released by Microsoft: MS03-007 (at the end of the page).
    Second, remove the worm from your computer:

    1. Right-click on My Computer and select Manage from the menu. Maximize the Computer Management window that appears.


    2. In the left side of the window, click on Services and Applications. In the right side of the window, double-click on Services.


    3. In the list of services, click on the column title Name so as to sort the service names alphabetically. If you click twice, the service names will be sorted in reverse order.


    4. Find the service Network Connections Sharing. Right-click on it, and select Properties from the menu. Look in the Properties window and assure that the Path to executable is %system32%\wins\svchost.exe (e.g. C:\Windows\System32\wins\svchost.exe). Press the Stop button (if it is not disabled), to stop the service.


    5. Find the servce WINS Client, make sure the Path to executable is %system32%\wins\dllhost.exe and stop it too.


    6. Go to Start, Run and open regedit.exe. Go to to the registry key:

      HKLM\SYSTEM\CurrentControlSet\Services

      and delete the values RpcTftpd and RpcPatch.


    7. Restart your computer.


    8. Go to %system32%\wins and delete the files svchost.exe and dllhost.exe.
  • Analyzed By

    Mircea Ciubotariu, Mihai Neagu, Bogdan Dragu.

    Technical Description:

    For Windows XP systems, it uses the Windows DCOM RPC vulnerability described in MS03-026 security bulletin, to infect new computers.

    For systems that have the IIS service, it uses the Windows WebDav vulnerability described in MS03-007 security bulletin, to infect new computers.

    When ran it looks for Win32.Msblast.A worm file (msblast.exe) and tries to remove it from the computer. It also attempts to download the patch for the DCOM RPC vulnerability and to install it. If it successfully installs it, it restarts the computer without notice.

    After infecting a remote computer, it opens a random TCP port between 666 and 765, on the remote computer so as to send commands to it.

    It uses the TFTP file transfer protocol to copy the worm body: dllhost.exe, and the TFTP server: tftpd.exe, that will be renamed to svchost.exe after copying in %system32%\wins.

    It creates two services: Network Connections Sharing with the path to executable: %system32%\wins\svchost.exe and WINS Client with the path to executable: %system32%\wins\dllhost.exe, that are set to run automatically, so that the worm will be active, even if no user is logged on the computer.

    The worm contains some text strings: I love my wife & baby :), Welcome Chian, Notice: 2004 will remove myself:) and sorry zhongli. It is true, from the year 2004 it would uninstall itself from the infected machine.

    The mutex that it uses not to run twice on the same computer is named RpcPatch_Mutex.