The following file: (%SYSDIR% is the Windows System directory)
High activity on ports 135 (RPC), 80 (HTTP) and 445 (SMB over TCP).
Let BitDefender delete all files found infected with this worm.
Note: The removal tool has been updated to remove the worm Win32.Worm.Welchia.C too.
Mihai Neagu BitDefender Virus Researcher
The worm comes by exploiting one of the following:
1. DCOM RPC vulnerability
described in MS03-026 bulletin
2. WebDav vulnerability
described in MS03-007 bulletin
3. Workstation Service vulnerability
described in MS03-049 bulletin
When infecting a machine, it copies to the following location: %SYSDIR%\Drivers\SVCHOST.EXE
and creates the service called WksPatch
so as to run each time Windows starts.
To infect othe machines, it generates random IP addresses and sends packets on ports 135, 80 and 445 to exploit vulnerable targets (see above).
It tries to remove the Mydoom
worm as well as the former version of Welchia: Win32.Worm.Welchia.A
, and downloads and applies the patches KB828035
from the Microsoft's website.
Overwrites some HTML files with the following content:
LET HISTORY TELL FUTURE !
1937.12.13 300,000 !
1945.8.6 Little boy
Let history tell future !
The worm will remove itself after June 2004.