 |
Home>Tips
& Articles>Remove
Worms & Virus>
Remove Worm.Welchia
About Welchia
The W32.Welchia (also known as Nachi, MSBLAST.D, Lovsan) is a worm
that exploits multiple vulnerabilities, including:
- The DCOM RPC vulnerability (described in Microsoft
Security Bulletin MS03-026) using TCP port 135. The worm specifically
targets Windows XP machines using this exploit.
- The WebDav vulnerability (described in Microsoft
Security Bulletin MS03-007) using TCP port 80. The worm specifically
targets machines running Microsoft IIS 5.0 using this exploit. As coded
in this worm, this exploit will impact Windows 2000 systems and may
impact Windows NT/XP systems.
Remove this worm virus using McAfee Virus Scan 2004!
It
can attack entire networks of computers or one single computer connected
to the Internet. The worm seems to be designed as an anti-virus worm
since it attempts to remove MS.Blaster worm, and will even try to remove
itself when the year is 2004. . The worm also attempts to download the
DCOM RPC patch from Microsoft's Windows Update Web site, install it,
and then restart the computer.
When W32.Welchia.Worm is executed, it performs the
following actions:
- Copies
itself to:
%System%\Wins\Dllhost.exe
Note: %System% is a variable. By default, this is C:\Winnt\System32
(Windows 2000) or C:\Windows\System32 (Windows XP).
- Makes
a copy of Tftpd.exe as %System%\Wins\svchost.exe.
NOTE: Tftpd is a legitimate program, which is not malicious. It is
found in the System32 directory
- Adds
the subkeys:
RpcPatch
and:
RpcTftpd
to the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- Creates
the following services:
Service Name: RpcTftpd
Service Display Name: Network Connections Sharing
Service Binary: %System%\wins\svchost.exe
This service will be set to start manually.
Service Name: RpcPatch
Service Display Name: WINS Client
Service Binary: %System%\wins\dllhost.exe
This service will be set to start automatically.
- Ends
the process, Msblast, and deletes the %System%\msblast.exe file, which
the worm Blaster.A drops.
- Sends
an ICMP echo request, or PING, to a machine in the network to identify
whether it is active on the network, it will either send data to TCP port
135, which exploits the DCOM RPC vulnerability, or it will send data to TCP
port 80 to exploit the WebDav vulnerability. Once invades the machine, it
creates a remote shell on the vulnerable host, which reconnects to the
attacking computer on a random TCP port, between 666 and 765, to receive
instructions.
It then launches the TFTP server on the attacking machine and instructs the
victim machine to connect and download Dllhost.exe and Svchost.exe from the
attacking machine. If the %System%\dllcache\tftpd.exe file exists, the worm
may not download svchost.exe.
- Checks
the computer's operating system version, Service Pack number, and System
Locale. It also attempts to connect to Microsoft's Windows Update and
download the appropriate DCOM RPC vulnerability patch. Once the update has
been downloaded and executed, the worm restarts the computer so that the
patch is installed.
How to Remove Welchia Worm
The easiest way to remove this worm is to download a removal tool
developed by Symantec. You can also follow below instructions to manually
remove Welchia from your computer.
- Disable
System Restore (Windows XP).
- Restart
the computer to safe mode.
- Open
registry editor (click Start>Run, type Regedit and click OK), locate
and expand the following key :
HKEY_LOCAL_MACHINE>System>CurrentControlSet>Services,
Delete these two subkeys: RpcPatch and RpcTftpd
- Install
the patches for DCOM Rpc and WebDAV. The easiest way to to is to run
Windows Update to download and install all the needed
patches.
-
Run a full system scan and delete all the files detected as
W32.Welchia.Worm.
Remove other worms & virus:
|
|
|
