Welchia
From Wikipedia, the free encyclopedia
The Welchia worm, also known as the "Nachia worm," is a computer worm that exploits a vulnerability in the Microsoft Remote procedure call (RPC) service similar to the Blaster worm. However unlike Blaster, it tries to help the user by downloading and installing security patches from Microsoft, so it is a helpful worm. Though even as it implies no harm, it can increase network traffic, reboot the infected computer, and more importantly—it operates without consent and does not log anything. It has had several different variants and childworms. It was discovered on August 18, 2003.
This worm infected systems by exploiting vulnerabilities in Microsoft Windows system code (TFTPD.EXE and TCP on ports 666-765, and a buffer overflow of the RPC on port 135). Its method of infection is to create a remote shell and instruct the system to download the worm by TFTPD.EXE. TFTPD is only on certain OS's, and, without it, the connection fails at this stage. Specifically, the welchia worm targeted machines running Windows XP.
Once in the system, the worm would patch the vulnerability it used to gain access (thereby actually securing the system against other attempts to exploit the same method of intrusion) and run its payload, a series of Microsoft patches. It then would attempt to remove the "W32/Lovsan.worm.a" by deleting MSBLAST.EXE. If still in the system, the worm was programmed to self-remove on January 1, 2004, or after 120 days of processing, whichever would have come first.
While this worm did no apparent damage to individual systems — indeed, it actually helped to secure certain systems — it did create vast amounts of traffic by its transmission method, thereby slowing down the Internet and the Microsoft website. The worm also made some systems unstable by its workings, and, once the patches had been installed, it rebooted the system. Because of these effects, the worm was perceived as a threat, and a patch was released by all major anti-viral companies.
Fixing a system infected with the Welchia worm is very simple, using command-line processes:
DATE 01-01-04 Shutdown -r
These commands set the system clock to January 1, 2004, thereby triggering the embedded code within the worm for self-removal. The second line, the shutdown -r command, makes the PC restart.