What
is the Welchia.B worm?
Welchia.B.Worm is a variant of Welchia.Worm.
If the version of the operating system of the
infected machine is Chinese, Korean, or English,
the worm will attempt to download the Microsoft
Workstation Service Buffer Overrun and Microsoft
Messenger Service Buffer Overrun patches from
the Microsoft® Windows Update Web site, install
it, and then restart the computer.
The worm also attempts to remove Mydoom.A
and Mydoom.B
worms.
Welchia.B.Worm exploits multiple
vulnerabilities, including:
- The DCOM RPC vulnerability (described in Microsoft
Security Bulletin MS03-026) using TCP port
135. The worm specifically targets Windows XP
machines using this exploit.
- The WebDav vulnerability (described in Microsoft
Security Bulletin MS03-007) using TCP port
80. The worm specifically targets machines
running Microsoft IIS 5.0 using this exploit.
The worm's use of this exploit will impact
Windows 2000 systems and may impact Windows
NT/XP systems.
- The Workstation service buffer overrun
vulnerability (described in Microsoft
Security Bulletin MS03-049) using TCP port
445.
- The Locator service vulnerability using TCP
port 445 (described in Microsoft
Security Bulletin MS03-001). The worm
specifically targets Windows 2000 machines
using this exploit.
The presence of the file, %Windir%\system32\drivers\svchost.exe,
is an indication of a possible infection.
This threat is compressed with UPX.Also
known as: Nachi.worm.b, Nachi-B,
Win32.Nachi.B, WORM_NACHI.B, Win32.Welchia.b
How
Does the Welchia.B Worm Infect My Computer?
When Welchia.B.Worm runs, it does the
following:
- Creates a mutex named "WksPatch_Mutex."
This mutex allows only one instance of the
worm to execute in memory.
- Copies itself as %System%\drivers\svchost.exe.
- Creates the following service:
Service name: WksPatch
Service binary: %System%\drivers\svchost.exe
Service display name: Constructed in
the form of %string1% %string2% %string3%,
where:
- %string1% is one of the following:
- System
- Security
- Remote
- Routing
- Performance
- Network
- License
- Internet
- %string2% is one of the following:
- Logging
- Manager
- Procedure
- Accounts
- Event
- and %string3% is one of the following:
- Provider
- Sharing
- Messaging
- Client
For example, the service display name
can be "Security Logging
Sharing."
- Deletes the service named "RpcPatch,"
if it exists.
- Checks for the existence of the Mydoom.A
and Mydoom.B
worms by looking for the registry keys:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
- Attempts to remove the Mydoom.A
and Mydoom.B
worms, if either of the keys in step 5 exist.
The worm does this by doing the following:
- Deletes the following files:
- %System%\ctfmon.dll
- %System%\Explorer.exe
- %System%\shimgapi.dll
- %System%\TaskMon.exe
- Deletes the value "Taskmon"
from the registry keys:
- HEKY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
- Restores the value:
"@"="%SystemRoot%\System32\webcheck.dll"
in the registry key:
HKEY_LOCAL_MACHINE\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
\InProcServer32
- Overwrites the HOSTS file with the
following text:
#
#
127.0.0.1 localhost
- Generates random IP addresses, and sends
exploit data to the IP addresses, in an
attempt to infect the systems:
- sends data to TCP port 135 to exploit
the DCOM RPC vulnerability.
- sends data to TCP port 80 to exploit the
WebDav vulnerability.
- sends data to TCP port 445 to exploit
the Workstation Service vulnerability.
- sends data to TCP port 445 to exploit
the Locator service vulnerability.
- Runs an HTTP server on a random TCP port, so
that the vulnerable computers can reconnect to
the infected computer, then locally download
and execute the worm as WksPatch.exe.
- Searches the files in the IIS Virtual Roots
and %Windir%\Help\\IISHelp\common folders with
the following extensions, If the version of
the operating system of the infected machine
is Japanese:
- .shtml
- .shtm
- .stm
- .cgi
- .php
- .html
- .htm
- .asp
- Overwrites the files it finds with the
following .htm file:
- Downloads one of the following patches from
Microsoft's Windows Update Web site, if the
version of the operating system of the
infected machine is Chinese, Korean, or
English:
- download.microsoft.com/download/4/d/3/4d375d48-04c7-411f-959b-3467c5ef1e9a
/WindowsXP-KB828035-x86-CHS.exe
- download.microsoft.com/download/a/4/3/a43ea017-9abd-4d28-a736-2c17dd4d7e59
/WindowsXP-KB828035-x86-KOR.exe
- download.microsoft.com/download/e/a/e/eaea4109-0870-4dd3-88e0-a34035dc181a
/WindowsXP-KB828035-x86-ENU.exe
- download.microsoft.com/download/9/c/5/9c579720-63e9-478a-bdcb-70087ccad56c
/Windows2000-KB828749-x86-CHS.exe
- download.microsoft.com/download/0/8/4/084be8b7-e000-4847-979c-c26de0929513
/Windows2000-KB828749-x86-KOR.exe
- download.microsoft.com/download/3/c/6/3c6d56ff-ff8e-4322-84cb-3bf9a915e6d9
/Windows2000-KB828749-x86-ENU.exe
- Installs the patch, and then restarts the
computer.
- The worm will self-terminate on June 1,
2004, or after running 120 days, whichever
comes first.
How
Can I Remove the Welchia.B Worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Welchia.B during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
Follow these steps
in removing the Welchia.B worm.
1. Disabling System Restore (Windows Me/XP)
For instructions on how to turn off System
Restore, read your Windows documentation, or one
of the following articles: "How
to disable or enable Windows Me/XP System Restore".
2. Removing the running service
- Open a command prompt window. Click
Start>Run, type CMD and then press the
Enter key.
- At the command prompt, type the following:
NET STOP "Network Connections
Sharing"
- Press the Enter key. A message should
indicate that the service has been stopped
successfully.
- Again, at the command prompt, type the
following:
NET STOP "Wkspatch"
- Press the Enter key. A message should
indicate that the service has been stopped
successfully.
- Close the command prompt window.
- Open Registry Editor. To do this, click
Start>Run, type REGEDIT, then press Enter.
- In the left panel, double-click the
following:
HKEY_LOCAL_MACHINE>System>CurrentControlSetServices>
- Still in the left panel, delete the subkey:
WksPatch
- Close Registry Editor.
3. Updating the virus definitions
If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
4. Scanning for and deleting the infected
files
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with
Welchia.B, click Delete.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Detect and Removal Instruction for Other
Variants:
|
(If you can not see the issued comment, please enable your browser to support javascript and refresh this page.)