Welchia worm Removal

The Welchia (MSBLAST.D or Nachi) worm infects machines via network connections. It can attack entire networks of computers or one single computer connected to the Internet. Similar to the original MSBlast worm it exploits a known windows vulnerability that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and Windows XP machines and exploits the DCOM RPC Vulnerablity.  It uses TFTP (Trivial File Transfer Protocol) to download its files into a system. It also exploits one more vulnerability known as the WebDAV exploit to travel from system to system.

What are the DCOM Vulnerability and WebDAV Exploits?

The DCOM vulnerability in Windows 2000 and XP can allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. The worm causes a buffer overrun in the Remote Procedure Call (RPC) service. When this service is terminated the virus infects the machine and then tries to infect other machines.

The WebDAV exploit is a security issue identified in Microsoft® Windows XP, 2000, and NT running IIS 5.0 that could allow an attacker to take control of your computer. This issue is most likely to affect computers used as Web servers.

technical details

When W32.Welchia.Worm is executed, it performs the following actions:
  1. Copies itself to:

    %System%\Wins\Dllhost.exe

    NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Winnt\System32 (Windows 2000) or C:\Windows\System32 (Windows XP).
     
  2. Makes a copy of %System%\Dllcache\Tftpd.exe as %System%\Wins\svchost.exe.

    NOTE: Tftpd is a legitimate program, which is not malicious, and therefore Symantec antivirus products do not detect it.
     
  3. Adds the subkeys:

    RpcPatch

    and:

    RpcTftpd

    to the registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
     
  4. Creates the following services:

    Service Name: RpcTftpd
    Service Display Name: Network Connections Sharing
    Service Binary: %System%\wins\svchost.exe

    This service will be set to start manually.

    Service Name: RpcPatch
    Service Display Name: WINS Client
    Service Binary: %System%\wins\dllhost.exe

    This service will be set to start automatically.
     
  5. Ends the process, Msblast, and deletes the %System%\msblast.exe file, which W32.Blaster.Worm drops.
     
  6. Selects the victim IP address in two different ways: The worm uses either A.B.0.0 from the infected machine's IP of A.B.C.D and counts up, or it will construct a random IP address based on some hard-coded addresses.
    After selecting the start address, the worm counts up through a range of Class B-sized networks; for example, if the worm starts at A.B.0.0, it will count up to at least A.B.255.255.
     
  7. Sends an ICMP echo request, or PING, to check whether the constructed IP address is an active machine on the network.
     
  8. Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability.
     
  9. Creates a remote shell on the vulnerable host, which reconnects to the attacking computer on a random TCP port, between 666 and 765, to receive instructions.
     
  10. Launches the TFTP server on the attacking machine and instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the %System%\dllcache\tftpd.exe file exists, the worm may not download svchost.exe.
     
  11. Checks the computer's operating system version, Service Pack number, and System Locale. It also attempts to connect to Microsoft's Windows Update and download the appropriate DCOM RPC vulnerability patch.
     
  12. Once the update has been downloaded and executed, the worm restarts the computer so that the patch is installed.
     
  13. Checks the computer's system date. If the year is 2004, the worm will disable and remove itself as follows:
     
    • Deletes the file %System%\Wins\Dllhost.exe
       
    • Deletes the services, RpcPatch and RpcTftpd, and removes the associated registry keys:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcPatch
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcTftpd
    The worm does not delete the file, %System%\Wins\Svchost.exe, which is a nonmalicious tftp server.

Removal Instructions for Welchia or MSBLAST.D worm.

Download the Following Tools : Welchia Removal Tool ( Symantec )

                                                  DCOM RPC Exploit Patch

                                                  WebDAV Exploit Patch

1) Disconnect your computer from the local area network or Internet

2) Terminate the running program

  • Open a command prompt window. Click Start>Run, type CMD and then press the Enter key.
  • At the command prompt, type the following:
    NET STOP "Network Connections Sharing"
  • Press the Enter key. A message should indicate that the service has been stopped successfully.
  • Do the same to stop the following service:
    NET STOP "WINS Client"
  • Close the command prompt window.

3) Remove the Registry Entries

  • Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
  • In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>
  • In the left panel, delete the subkeys:
    RpcPatch
    RpcTftpd
  • Close Registry Editor.

3) Install the patches for the DCOM RPC Exploit or WebDAV exploit.

4) Finally Run a Scan Using Symantec's Welchia Removal Tool.