Symptoms
The following file: (%SYSDIR% is the Windows System directory)
%SYSDIR%\Drivers\SVCHOST.EXE
High activity on ports 135 (RPC), 80 (HTTP) and 445 (SMB over TCP).
Removal instructions:
Let BitDefender delete all files found infected with this worm.
Note: The removal tool has been updated to remove the worm Win32.Worm.Welchia.C too.
Analyzed By
Mihai Neagu BitDefender Virus Researcher
Technical Description:
The worm comes by exploiting one of the following:
1.
DCOM RPC vulnerability described in
MS03-026 bulletin 2.
WebDav vulnerability described in
MS03-007 bulletin 3.
Workstation Service vulnerability described in
MS03-049 bulletin When infecting a machine, it copies to the following location:
%SYSDIR%\Drivers\SVCHOST.EXE and creates the service called
WksPatch so as to run each time Windows starts.
To infect othe machines, it generates random IP addresses and sends packets on ports 135, 80 and 445 to exploit vulnerable targets (see above).
It tries to remove the
Mydoom worm as well as the former version of Welchia:
Win32.Worm.Welchia.A, and downloads and applies the patches
KB828035 and
KB828749 from the Microsoft's website.
Overwrites some HTML files with the following content:
LET HISTORY TELL FUTURE !
1931.9.18
1937.7.7
1937.12.13 300,000 !
1941.12.7
1945.8.6 Little boy
1945.8.9 Fatso
1945.8.15
Let history tell future !
The worm will remove itself after June 2004.
SHARE
THIS ON