What
is the Welchia?
The Welchia worm infects machines via network
connections. It can attack entire networks of
computers or one single computer connected to the
Internet. Similar to the original MSBlast worm it
exploits a known windows vulnerability that is
easily patched, however few systems seem to have
this patch installed. It attacks Windows 2000 and
Windows XP machines and exploits the
DCOM RPC Vulnerablity. It uses TFTP
(Trivial File Transfer Protocol) to download its
files into a system. It also exploits one more
vulnerability known as the WebDAV
exploit to travel from system to system.
Ironically, this
worm attempts to patch the RPC
DCOM Buffer Overflow. It first checks for the
running Windows version and then downloads a
patch from Microsoft. In essence this worm
patches your computer against the MSBlast.A worm.
When the current system year is 2004, the worm
removes itself from the system.
Download the Windows
patches for these vulnerabilities by clicking on
the links below:
Windows
XP: DCOM/RPC Exploit patch
Windows
2000: DCOM/RPC Exploit patch
Windows
XP: WebDAV Exploit patch (IIS
Remote Exploit from ntdll.dll)
Windows
2000: WebDAV Exploit patch (IIS
Remote Exploit from ntdll.dll)
Also known as: MSBlast.D,
LoveSan.D, Nachia
How
Does the Welchia Worm Infect My Computer?
- Copies itself to
the Wins directory in the System or System32
folder in Windows usually
C:\Windows\System32\Wins\Dllhost.exe for
Windows XP or
C:\WinNT\System32\Wins\Dllhost.exe for
Windows NT/2000
There is a legitimate file called
Dllhost.exe (about 5-6K) in the System32
directory.
- Makes a copy of
the TFTP server (TFTPD.exe) from the Dllcache
directory to the following directories.
C:\Windows\System32\Wins\svchost.exe
for Windows XP or
C:\WinNT\System32\Wins\svchost.exe for
Windows NT/2000
NOTE: Svchost.exe is a legitimate
program, which is not malicious, found in the
System32 directory
- Creates the
following services:
Service Name: RpcTftpd
Display Name: Network Connections
Sharing
File: %System%\wins\svchost.exe
This service will be set to start manually.
Service Name: RpcPatch
Display Name: WINS Client
File: %System%\wins\dllhost.exe
This service will be set to start
automatically.
- Ends the process,
MSBLAST, and delete the file %System%\msblast.exe
which is dropped by the worm, MSBlast.A.
First, it checks the operating system
version, then it downloads the appropriate
patch from the designated Microsoft Web site.
After executing the patch, it reboots the
system.
Some of the
patches it downloads into the system are as
follows:
- http://download.microsoft.com/download/6/9/5/6957d785-fb7a-4ac9-b1e6-cb99b62f9f2a/Windows2000-KB823980-x86-KOR.exe
- http://download.microsoft.com/download/5/8/f/58fa7161-8db3-4af4-b576-0a56b0a9d8e6/Windows2000-KB823980-x86-CHT.exe
- http://download.microsoft.com/download/2/8/1/281c0df6-772b-42b0-9125-6858b759e977/Windows2000-KB823980-x86-CHS.exe
- http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe
- http://download.microsoft.com/download/e/3/1/e31b9d29-f650-4078-8a76-3e81eb4554f6/WindowsXP-KB823980-x86-KOR.exe
- http://download.microsoft.com/download/2/3/6/236eaaa3-380b-4507-9ac2-6cec324b3ce8/WindowsXP-KB823980-x86-CHT.exe
- http://download.microsoft.com/download/a/a/5/aa56d061-3a38-44af-8d48-85e42de9d2c0/WindowsXP-KB823980-x86-CHS.exe
- http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe
The downloaded
patch has the file name, RpcServicePack.exe.
This worm deletes this file after it is run.
Before
downloading or installing the patch on the
system, this worm first checks if the system
has been previously patched by checking for
specific registry keys to make sure the patch
hasnt been installed.
The worm travels
through a computer network or local area
network looking for unpatched and vulnerable
machines. The worm will use a ping to
determine if the active machine is on a
network.Once the worm identifies a machine as
being active on the network, it will either
send data to TCP port 135, which exploits the
DCOM RPC vulnerability, or it will send data
to TCP port 80 to exploit the WebDav
vulnerability.
Creates a remote
shell on the vulnerable host that will connect
back to the attacking computer on a random TCP
port between 666 and 765 to receive
instructions.
Launches the TFTP server on the attacking
machine, instructs the victim machine to
connect and download Dllhost.exe and
Svchost.exe from the attacking machine. If the
file, %System%\dllcache\tftpd.exe exists, the
worm may not download svchost.exe.
How to Remove the Welchia or MSBLAST.D worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Welchia during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
Manual Removal:
Follow these steps
in removing the Welchia or MSBLAST.D worm.
1) Disconnect your
computer from the local area network or Internet
2) Terminate the
running program
- Open a command
prompt window. Click Start>Run, type CMD
and then press the Enter key.
- At the command
prompt, type the following:
NET STOP "Network Connections
Sharing"
- Press the Enter
key. A message should indicate that the
service has been stopped successfully.
- Do the same to
stop the following service:
NET STOP "WINS Client"
- Close the command
prompt window.
3) Remove the
Registry Entries
- Open Registry
Editor. To do this, click Start>Run, type
REGEDIT, then press Enter.
- In the left panel,
double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>
- In the left panel,
delete the subkeys:
RpcPatch
RpcTftpd
- Close Registry
Editor.
3) Install the
patches for the DCOM RPC Exploit or WebDAV
exploit, you can download the patches from the
links below before disconnecting
DCOM RPC
Exploit
Windows
XP Pro/Home Edition
Windows
2000
WebDAV
Exploit
Windows
XP
Windows
2000
4) Delete the
infected files (for Windows ME and
XP remember to turn
off System Restore before searching
for and deleting these files to remove infected
backed up files as well)
- Click Start, point
to Find or Search, and then click Files or
Folders.
- Make sure that
"Look in" is set to (C:\WINDOWS).
- In the
"Named" or "Search for..."
box, type, or copy and paste, the file names:
svchost.exe
dllhost.exe
- Click Find Now or
Search Now.
- Delete the svchost.exe
file in the c:\windows\system32\wins
directory
Delete the dllhost.exe
file in the c:\windows\system32\wins
directory
- Empty the Recycle
bin.
7) Reboot the
computer, reconnect the network, and update
your antivirus software, and run a
thorough virus scan using your favorite antivirus
program. If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
This worm is similar
to the MSBlaster worm, you can find more
information about MSBLAST.A by visiting this page.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Detect and Removal Instruction for Other
Variants:
| 
