Virus Database

Worm.Win32.Welchia.b

Description Worm.Win32.Welchia.b
This worm spreads via the Internet using the DCOM RPC vulnerability in Microsoft Windows, which is described in Microsoft Security Bulletin MS03-026.
The worm also attempts to infect computers where Microsoft IIS 5.0 is installated, via the WebDav vulnerability described in Microsoft Security Bulletin MS03-007.
The worm is written in Visual C++, and is approximately 12KB (12800 bytes) in size, compressed using UPX.
This version of Welchia attempts to find and delete the worms Mydoom.a and Mydoom.b from the computer.
Installation
On launching, the worm copies itself to the %System%drivers directory under the name svchost.exe, and then creates a service named 'WksPatch'. As a result, the worm will execute every time Windows is launched. The service display name is three words, randomly generated from the lists below:
First word:
System
Security
Remote
Routing
Performance
Network
License
Internet
Second word:
Logging
Manager
Procedure
Accounts
Event
Third word:
Provider
Sharing
Messaging
Client
For example, the display name of the service could be 'Remote Accounts Client' or 'System Logging Provider'
The worm creates a unique identifier 'WksPatch_Mutex' to flag its presence in memory.
Deletion of Mydoom
The worm searches for files which could have been created by Mydoom.a and Mydoom.b and deletes them:
%System%ctfmon.dll
%System%Explorer.exe
%System%shimgapi.dll
%System%TaskMon.exe
Welchia.b also deletes the taskmon key from the system registry auto-run key and overwrites the hosts file with its own data (identical to default Windows data)
Windows Patch Installation
The worm then scans the Windows system registry for installed patches and service packs. If the patch for the DCOM RPC vulnerability has not been installed, Welchia will download the patch from download.microsoft.com. Once the patch is successfully downloaded and installed, the worm re-boots the computer to complete installation.
Propagation
The worm creates two different requests to be sent to remote machines. The first request contains a WebDAV exploit, and the second contains a DCOM_RPC exploit which is almost identical to the one used in Lovesan.
Welchia.b selects an IP address, sends an ICMP request and waits for a response. If the remote computer responds, the worm connects to this computer via port 135 (as did Lovesan) or via port 80 (if the remote computer uses IIS). The worm then sends a packet which loads Welchia from the host machine.
Other
The worm searches directories of the corresponding IIS for files with the following extensions:
shtml
shtm
stm
cgi
php
html
htm
asp
If the code page of the infected machine is installed in Japanese, it overwrites these files with the following text:
LET HISTORY TELL FUTURE !

1931.9.18
1937.7.7
1937.12.13 300,000 !

1941.12.7
1945.8.6 Little boy
1945.8.9 Fatso

1945.8.15
Let history tell future !
The worm ceases to function on 1st June 2004.

Check other viruses! Be aware! Use Antiviral Software

Carcel

Description Carcel

This is a benign memory resident stealth boot virus. It hooks INT 13h, and infects the MBR of the hard drive and boot sector of floppy disks that are accessed. On May 25, it also hooks INT 1Ch, displays a vertical columns and the text: "CARCEL!" (see also "Barrotes" DOS parasitic virus).

Career Family

Description Career Family

These are harmless memory resident parasitic viruses. They hook INT 21h and write themselves to the end of COM-files that are executed. These viruses infect the file if the first instruction of it is JMP (E9h) instruction. The 3th and 4th bytes of infected file are the word "UK". These viruses also contain the internal text string: "tenUKCareer of Evil".

Home