My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Welchia.B

LOW
LOW
12800 bytes
(Worm.Win32.Welchia.b, W32/Nachi-B)

Symptoms

The following file: (%SYSDIR% is the Windows System directory)
%SYSDIR%\Drivers\SVCHOST.EXE

High activity on ports 135 (RPC), 80 (HTTP) and 445 (SMB over TCP).

Removal instructions:

Let BitDefender delete all files found infected with this worm.

Note: The removal tool has been updated to remove the worm Win32.Worm.Welchia.C too.

Analyzed By

Mihai Neagu BitDefender Virus Researcher

Technical Description:

The worm comes by exploiting one of the following:

1. DCOM RPC vulnerability described in MS03-026 bulletin
2. WebDav vulnerability described in MS03-007 bulletin
3. Workstation Service vulnerability described in MS03-049 bulletin

When infecting a machine, it copies to the following location:
%SYSDIR%\Drivers\SVCHOST.EXE
and creates the service called WksPatch so as to run each time Windows starts.

To infect othe machines, it generates random IP addresses and sends packets on ports 135, 80 and 445 to exploit vulnerable targets (see above).

It tries to remove the Mydoom worm as well as the former version of Welchia: Win32.Worm.Welchia.A, and downloads and applies the patches KB828035 and KB828749 from the Microsoft's website.

Overwrites some HTML files with the following content:


LET HISTORY TELL FUTURE !

1931.9.18

1937.7.7

1937.12.13 300,000 !

1941.12.7

1945.8.6 Little boy

1945.8.9 Fatso

1945.8.15

Let history tell future !



The worm will remove itself after June 2004.