NEW VIRUS ALERT...but um its a good one?!?!?
Posted: Mon Aug 18, 2003 1:34 pm
W32.Welchia.Worm
Symantec
W32.Welchia.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.
The worm will also attempt remove W32.Blaster.Worm.
Also Known As: W32/Welchia.worm10240 [AhnLab], W32/Nachi.worm [McAfee], WORM_MSBLAST.D [Trend], Lovsan.D [F-Secure]
Type: Worm
Systems Affected: Windows 2000, Windows XP
When W32.Welchia.Worm is executed, it preforms the following actions:
Copies the file:
%System%\Wins\Dllhost.exe
and registers itself as a service.
NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Makes a copy of %System%\Dllcache\Tftp.exe, names it Svchost.exe, and copies it to the %System%\Wins folder.
NOTE: Svchost.exe is a legitimate program. It is not malicious and therefore Symantec antivirus products do not detect them. You will have to delete them manually.
Ends the process Msblast.exe, dropped by the W32.Blaster.Worm, if the process is running.
Deletes the Msblast.exe file.
Checks the computer's operating system version and Service Pack number.
Generates an IP address and scans for computers using ICMP ping packets. IP addresses are generated according to the following algorithm:
The IP address is in the form of A.B.C.D, where A and B are taken from the Local Area Network.
The worm starts C and D at 0, and then increments D by 1, until it reaches 255.
When D reaches 255, it increments C by 1 and resets D to 0.
This pattern continues until the IP address reaches A.B.255.255.
Sends data to TCP port 135 that may exploit the DCOM RPC vulnerability.
Creates a remote shell on the vulnerable host, and opens a connection to TCP port 707 on the attacking computer.
Launches the TFTP server on the vulnerable host, connects to the attacker, and downloads Dllhost.exe and Svchost.exe.
Attempts to connect to Microsoft's Windows Update and download the DCOM RPC vulnerability patch.
Once the update has been download and executed, the worm will reboot the computer so that the patch is installed.
Checks the computer's system date. If the date is January 1, 2004, the worm will disable itself.
Symantec
W32.Welchia.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.
The worm will also attempt remove W32.Blaster.Worm.
Also Known As: W32/Welchia.worm10240 [AhnLab], W32/Nachi.worm [McAfee], WORM_MSBLAST.D [Trend], Lovsan.D [F-Secure]
Type: Worm
Systems Affected: Windows 2000, Windows XP
When W32.Welchia.Worm is executed, it preforms the following actions:
Copies the file:
%System%\Wins\Dllhost.exe
and registers itself as a service.
NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Makes a copy of %System%\Dllcache\Tftp.exe, names it Svchost.exe, and copies it to the %System%\Wins folder.
NOTE: Svchost.exe is a legitimate program. It is not malicious and therefore Symantec antivirus products do not detect them. You will have to delete them manually.
Ends the process Msblast.exe, dropped by the W32.Blaster.Worm, if the process is running.
Deletes the Msblast.exe file.
Checks the computer's operating system version and Service Pack number.
Generates an IP address and scans for computers using ICMP ping packets. IP addresses are generated according to the following algorithm:
The IP address is in the form of A.B.C.D, where A and B are taken from the Local Area Network.
The worm starts C and D at 0, and then increments D by 1, until it reaches 255.
When D reaches 255, it increments C by 1 and resets D to 0.
This pattern continues until the IP address reaches A.B.255.255.
Sends data to TCP port 135 that may exploit the DCOM RPC vulnerability.
Creates a remote shell on the vulnerable host, and opens a connection to TCP port 707 on the attacking computer.
Launches the TFTP server on the vulnerable host, connects to the attacker, and downloads Dllhost.exe and Svchost.exe.
Attempts to connect to Microsoft's Windows Update and download the DCOM RPC vulnerability patch.
Once the update has been download and executed, the worm will reboot the computer so that the patch is installed.
Checks the computer's system date. If the date is January 1, 2004, the worm will disable itself.