Welchi Worm
The Welchi worm targets the original Blaster worm, removing it, and then patching the system's RPC/DCOM flaw to prevent further attack. However, this unsolicited patching spontaneously reboots the system, causing a Denial of Service (DoS). Further, the worm is not without flaws and may leave the system vulnerable to further compromise, thus its "noble" act of patching is far from desirable. Though functionally similar to Blaster, security vendors disagree on whether this is a variant of the original MSBlast/Lovsan worm or an entirely new worm warranting a new name.
As such, Welchi is also called Nachi-A and MSBlast.D.
Welchi (a.k.a. Nachi and MSBlast.D)exploits vulnerabilities in both RPC/DCOM and WebDAV to propagate. Welchi drops itself to the Windows System WINS directory as DLLHOST.EXE and also copies TFTPD.EXE to the same (WINS) directory as SVCHOST.EXE, creating services for both these using the names WINS Client and Network Connections Sharing, respectively. This choice of naming has created no shortage of confusion among users who fail to realize valid copies of DLLHOST.EXE and SVCHOST.EXE (located in %windir%System32) also exist on the system. As in real estate, location is everything.
Welchi uses this newly renamed TFTP server to seek out additional infectable hosts, using four distinct algorithms to derive its IP list and sending ICMP Echo requests to determine which of the intended hosts is running. Like its predecessorBlaster,Welchi uses port 135 to load the infected file onto the target system and uses the WebDAV exploit to execute it.
Welchi attempts to uninstallthe Blaster wormfrom systems it infects and then downloads various security patches from Microsoft and installs them. Welchi does not perform a check to see whether the necessary software requirements are met for the patch installation (i.e. presence of required minimum service packs), but it does perform a registry check to see if certain patches have been previously installed. The act of ?patching? the system results in a reboot, a side affect that could be viewed as a DoS.
Welchi remains present on the infected system until 2004, at which time it will remove itself. The worm activity, the DoS potential, and the open ports instigated by the worm should dispel any notion that Welchi is anything but a ?bad? virus.
As such, Welchi is also called Nachi-A and MSBlast.D.
Welchi (a.k.a. Nachi and MSBlast.D)exploits vulnerabilities in both RPC/DCOM and WebDAV to propagate. Welchi drops itself to the Windows System WINS directory as DLLHOST.EXE and also copies TFTPD.EXE to the same (WINS) directory as SVCHOST.EXE, creating services for both these using the names WINS Client and Network Connections Sharing, respectively. This choice of naming has created no shortage of confusion among users who fail to realize valid copies of DLLHOST.EXE and SVCHOST.EXE (located in %windir%System32) also exist on the system. As in real estate, location is everything.
Welchi uses this newly renamed TFTP server to seek out additional infectable hosts, using four distinct algorithms to derive its IP list and sending ICMP Echo requests to determine which of the intended hosts is running. Like its predecessorBlaster,Welchi uses port 135 to load the infected file onto the target system and uses the WebDAV exploit to execute it.
Welchi attempts to uninstallthe Blaster wormfrom systems it infects and then downloads various security patches from Microsoft and installs them. Welchi does not perform a check to see whether the necessary software requirements are met for the patch installation (i.e. presence of required minimum service packs), but it does perform a registry check to see if certain patches have been previously installed. The act of ?patching? the system results in a reboot, a side affect that could be viewed as a DoS.
Welchi remains present on the infected system until 2004, at which time it will remove itself. The worm activity, the DoS potential, and the open ports instigated by the worm should dispel any notion that Welchi is anything but a ?bad? virus.