Home / malware Win32.Worm.Welchia.B
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Welchia.B is also known as Worm.Win32.Welchia.b, W32/Nachi-B.
Explanation :
The worm comes by exploiting one of the following:
1. DCOM RPC vulnerability described in MS03-026 bulletin
2. WebDav vulnerability described in MS03-007 bulletin
3. Workstation Service vulnerability described in MS03-049 bulletin
When infecting a machine, it copies to the following location:
%SYSDIR%DriversSVCHOST.EXE
and creates the service called WksPatch so as to run each time Windows starts.
To infect othe machines, it generates random IP addresses and sends packets on ports 135, 80 and 445 to exploit vulnerable targets (see above).
It tries to remove the Mydoom worm as well as the former version of Welchia: Win32.Worm.Welchia.A, and downloads and applies the patches KB828035 and KB828749 from the Microsoft's website.
Overwrites some HTML files with the following content:
LET HISTORY TELL FUTURE !
1931.9.18
1937.7.7
1937.12.13 300,000 !
1941.12.7
1945.8.6 Little boy
1945.8.9 Fatso
1945.8.15
Let history tell future !
The worm will remove itself after June 2004.Last update 21 November 2011