Aliases

Net-Worm.Win32.Welchia.a (Kaspersky Lab) is also known as: Worm.Win32.Welchia.a (Kaspersky Lab), W32/Nachi.worm.a (McAfee),   W32.Welchia.Worm (Symantec),   Win32.HLLW.LoveSan.2 (Doctor Web),   W32/Nachi-A (Sophos),   Win32/HLLW.Nachi.A (RAV),   WORM_NACHI.A (Trend Micro),   Worm/Nachi.A.1 (H+BEDV),   W32/Nachi.A (FRISK),   Win32:Nachi (ALWIL),   Worm/Nachi.A (Grisoft),   Win32.Worm.Welchia.A (SOFTWIN),   Worm.Blaster.D (ClamAV),   W32/Nachi.A (Panda),   Win32/Nachi.A (Eset)

Description added	Aug 19 2003
Behavior	Internet Worm

Technical details

Welchia.a is an Internet Worm, which spreads through the Internet using the DCOM RPC vulnerability in Microsoft Windows described in Microsoft Security Bulletin MS03-026. The worm also breaches computers via the WebDav vulnerability in Microsoft IIS 5.0 described in Microsoft Security Bulletin MS03-007.

The worm is written in Visual C++ and is about 10 KB when compressed through UPX. It spreads as a pair of files named dllhost.exe and svchost.exe.

The worm contains the following text strings:

I love my wife & baby :-)
~~~ Welcome Chian~~~
Notice: 2004 will remove myself:-)
~~ sorry zhongli~~~

Installation

During installation the worm first copies itself to the %System%\Wins\ folder under the name dllhost.exe and creates a service named WINS Client. Then the worm copies the tftpd.exe file from the %System%\dllcache folder naming it svchost.exe and creating an additional service - Network Connections Sharing.

As a result, Welchia obtains control over the machine and execute itself every time the computer is re-booted.

Deletion of Lovesan

Welchia scans the system for the MSBLAST.EXE process, ends the process and deletes the MSBLAST.EXE file from the hard drive.

Windows Patch Installation

The worm then scans the Windows system registry for installed patches and service packs. If the patch for the DCOM RPC vulnerability has not been installed, Welchia will initiate the downloading process. Once the patch is successfully downloaded and installed, the worm re-boots the computer to complete installation.

Spreading

Welchia uses two methods to scan for IP addresses. In the first instance, the worm uses values A and B from the current address and scans the Internet for addresses beginning with A.B.0.0, working through all addresses where C and D are greater than zero.

In the second instance the worm chooses a random IP address.

The worm creates two different requests for sending to remote computers. The first request exploits the WebDAV vulnerability, the second request exploits the DCOM RPC vulnerability almost like Lovesan.

The worm finds an IP address, sends an ICMP request to it and waits for a response. If the remote machine responds, then the worm connects to it via port 135 (like Lovesan) or port 80 (if the machine uses IIS) and sends a ready-made package which loads Welchia from the host machine (via tftp).

The worm then scans the infected machine for the TFTPD.EXE file. If the TFTPD.EXE file does not exists, Welchia will download it (naming it svchost.exe) into the folder %System%\Wins\.

Other

Once the current year becomes 2004, Welchia ceases to function and deletes itself from the system.