Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!

Welchia

From Malware Wiki
Jump to: navigation, search
Welchia
TypeInternet Worm
DateAugust 18th, 2003
Programming LanguageC++
PlatformMicrosoft Windows
File TypeWin32 PE executable (.EXE)
This box: view  talk  edit

Welchia, also known as Nachi, is a nematode or friendly worm that deletes Blaster and patches the vulnerabilities that made Blaster possible. While Welchia often came to the aid of users suffering from the Blaster Worm, it tended to slow computers down while it carried out its non-malevolent intentions, and was a bit of a nuisance for those who had already got Blaster removed from their PCs.

Welchia was likely named by antivirus companies for the Welcome Chian text found in the worm body. It is also called Nachi or may be considered the variant Blaster.D.

Payload

A machine that Welchia is about to infect will receive a ICMP echo request, or PING, which is the worm checking if it has a valid IP address. The worm on the infecting computer sends exploit code to the target computer in one of two ways. It may exploit the DCOM RPC vulnerability (the one that Blaster used to spread) sends its exploit code through port 135.

If the machine is running IIS, it may exploit a vulnerability in WebDav, in which case it sends its code through port 80. It creates a remote shell which connects to the attacking machine on any random port between 666 and 765 that listens for instructions from the worm on the attacking computer. In most cases, it is port 707. It then instructs the target to download the worm via TFTP to the System folder subdirectory "Wins" as dllhost.exe and execute it.

Welchia checks if the file tftpd.exe exists in the system folder subdirectory "dllcache". If it does not, it will download that file also as svchost.exe to Wins. This is to make sure that there is a TFTP server to send a copy of itself to a new computer.

Welchia ends the msblast process and deletes the file msblast.exe. It checks the registry to see if the patch for the DCOM RPC vulnerability has been installed. If not, it will download and install them. When the patch has been successfully installed, Welchia will reboot the computer, which completes the installation.

The worm begins spreading to other systems by selecting IP addresses. It will base the IP addresses on that of the current system, taking the first two numbers and generating the last two by counting from 0 to 255. It sends an ICMP echo request, or PING to each of them, and begins the expoiting procedure if it receives a response.

Welchia deletes itself whenever the year changes to 2004 or if it was left in the system for more than 120 days.

Welchia infected the intranet of the Navy Marine Corps and consumed three quarters of its capacity, rendering it useless for some time. No specific number of infected systems was given.

The worm also infected the network of the State Department, causing the department to shut down the network for nine hours. While no classified files were compromised, the "Consular Check System", used for performing background checks on foreigners seeking visas, was affected. This caused a nine hour delay in processing and issuing visas.

Antivirus Aliases

  • ClamAV: Worm.Blaster.D
  • Doctor Web: Win32.HLLW.LoveSan.2
  • Kaspersky: Net-Worm.Win32.Welchia.a
  • McAfee: W32/Nachi.worm.a
  • Sophos: W32/Nachi-A
  • Symantec: W32.Welchia.Worm
  • Trend Micro: WORM_NACHI.A

Variants

Welchia is described by some Antivirus Vendors as a variant of Blaster.

  • Welchia.B deletes Mydoom.A, displays a message that says "LET HISTORY TELL FUTURE !" and makes a reference to the atomic bombings of Japan.

Details

The worm contains the following text strings:

  I love my wife & baby :-)
  Welcome Chian
  Notice: 2004 will remove myself:-)
  sorry zhongli

Sources