Win32.Worm.Welchia.B( Worm.Win32.Welchia.b, W32/Nachi-B )
SYMPTOMS: The following file: (%SYSDIR% is the Windows System directory)%SYSDIR%\\Drivers\\SVCHOST.EXE High activity on ports 135 (RPC), 80 (HTTP) and 445 (SMB over TCP). TECHNICAL DESCRIPTION: The worm comes by exploiting one of the following:1. DCOM RPC vulnerability described in MS03-026 bulletin 2. WebDav vulnerability described in MS03-007 bulletin 3. Workstation Service vulnerability described in MS03-049 bulletin When infecting a machine, it copies to the following location: %SYSDIR%\\Drivers\\SVCHOST.EXE and creates the service called WksPatch so as to run each time Windows starts. To infect othe machines, it generates random IP addresses and sends packets on ports 135, 80 and 445 to exploit vulnerable targets (see above). It tries to remove the Mydoom worm as well as the former version of Welchia: Win32.Worm.Welchia.A, and downloads and applies the patches KB828035 and KB828749 from the Microsoft\'s website. Overwrites some HTML files with the following content:
The worm will remove itself after June 2004. Removal instructions: Let BitDefender delete all files found infected with this worm.Note: The removal tool has been updated to remove the worm Win32.Worm.Welchia.C too. ANALYZED BY: Mihai NeaguBitDefender Virus Researcher |