Home / malwarePDF  

Win32.Worm.Welchia.A


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Worm.Welchia.A is also known as W32.Welchia.Worm, W32/Nachi.worm, WORM_MSBLAST.D.

Explanation :

For Windows XP systems, it uses the Windows DCOM RPC vulnerability described in MS03-026 security bulletin, to infect new computers.

For systems that have the IIS service, it uses the Windows WebDav vulnerability described in MS03-007 security bulletin, to infect new computers.

When ran it looks for Win32.Msblast.A worm file (msblast.exe) and tries to remove it from the computer. It also attempts to download the patch for the DCOM RPC vulnerability and to install it. If it successfully installs it, it restarts the computer without notice.

After infecting a remote computer, it opens a random TCP port between 666 and 765, on the remote computer so as to send commands to it.

It uses the TFTP file transfer protocol to copy the worm body: dllhost.exe, and the TFTP server: tftpd.exe, that will be renamed to svchost.exe after copying in %system32%wins.

It creates two services: Network Connections Sharing with the path to executable: %system32%winssvchost.exe and WINS Client with the path to executable: %system32%winsdllhost.exe, that are set to run automatically, so that the worm will be active, even if no user is logged on the computer.

The worm contains some text strings: I love my wife & baby :), Welcome Chian, Notice: 2004 will remove myself:) and sorry zhongli. It is true, from the year 2004 it would uninstall itself from the infected machine.

The mutex that it uses not to run twice on the same computer is named RpcPatch_Mutex.

Last update 21 November 2011

 

TOP