What is
the Welchia worm aka MSBlast.D, LoveSan.D or Nachia?
The Welchia (MSBLAST.D or Nachi) worm infects
machines via network connections. It can attack entire networks of
computers or one single computer connected to the Internet. Similar to
the original MSBlast worm it exploits a known windows vulnerability
that is easily patched, however few systems seem to have this patch
installed. It attacks Windows 2000 and Windows XP machines and exploits
the
DCOM RPC Vulnerablity. It uses TFTP (Trivial File
Transfer Protocol) to download its files into a system. It also
exploits one more vulnerability known as the WebDAV
exploit to travel from system to system.
Ironically,
this worm attempts to patch the RPC
DCOM Buffer Overflow. It first checks for the running Windows
version and then downloads a patch from Microsoft. In essence this worm
patches your computer against the MSBlast.A worm.
When the current system year is 2004, the worm removes itself from the
system.
|
|
Download
the Windows patches for these vulnerabilities by clicking on the links
below:
Windows XP: DCOM/RPC Exploit patch
Windows 2000: DCOM/RPC Exploit
patch
Windows
XP: WebDAV Exploit patch (IIS
Remote Exploit from ntdll.dll)
Windows
2000: WebDAV Exploit patch (IIS
Remote Exploit from ntdll.dll)
What
are the DCOM Vulnerability and WebDAV Exploits?
The DCOM
vulnerability in Windows 2000 and XP can allow an attacker to remotely
compromise a computer running Microsoft® Windows® and
gain complete control over it. The worm causes a buffer overrun in the
Remote Procedure Call (RPC) service. When this service is terminated
the virus infects the machine and then tries to infect other machines.
The WebDAV
exploit is a security issue identified in Microsoft® Windows
XP, 2000, and NT running IIS 5.0 that could allow an attacker to take
control of your computer. This issue is most likely to affect computers
used as Web servers.
How
Does the Welchia Worm Infect My Computer?
- Copies
itself to the Wins directory in the System or System32 folder in
Windows usually
C:\Windows\System32\Wins\Dllhost.exe for Windows XP or
C:\WinNT\System32\Wins\Dllhost.exe for Windows
NT/2000
There is a legitimate file called Dllhost.exe
(about 5-6K) in the System32 directory.
- Makes a
copy of the TFTP server (TFTPD.exe) from the Dllcache directory to the
following directories.
C:\Windows\System32\Wins\svchost.exe for Windows
XP or
C:\WinNT\System32\Wins\svchost.exe for Windows
NT/2000
NOTE: Svchost.exe is a legitimate program,
which is not malicious, found in the System32 directory
- Creates
the following services:
Service Name: RpcTftpd
Display Name: Network Connections Sharing
File: %System%\wins\svchost.exe
This service will be set to start manually.
Service Name: RpcPatch
Display Name: WINS Client
File: %System%\wins\dllhost.exe
This service will be set to start automatically.
- Ends the
process, MSBLAST, and delete the file %System%\msblast.exe which is
dropped by the worm, MSBlast.A.
First, it checks the operating system version,
then it downloads the appropriate patch from the designated Microsoft
Web site. After executing the patch, it reboots the system.
Some of
the patches it downloads into the system are as follows:
- http://download.microsoft.com/download/6/9/5/6957d785-fb7a-4ac9-b1e6-cb99b62f9f2a/Windows2000-KB823980-x86-KOR.exe
- http://download.microsoft.com/download/5/8/f/58fa7161-8db3-4af4-b576-0a56b0a9d8e6/Windows2000-KB823980-x86-CHT.exe
- http://download.microsoft.com/download/2/8/1/281c0df6-772b-42b0-9125-6858b759e977/Windows2000-KB823980-x86-CHS.exe
- http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe
- http://download.microsoft.com/download/e/3/1/e31b9d29-f650-4078-8a76-3e81eb4554f6/WindowsXP-KB823980-x86-KOR.exe
- http://download.microsoft.com/download/2/3/6/236eaaa3-380b-4507-9ac2-6cec324b3ce8/WindowsXP-KB823980-x86-CHT.exe
- http://download.microsoft.com/download/a/a/5/aa56d061-3a38-44af-8d48-85e42de9d2c0/WindowsXP-KB823980-x86-CHS.exe
- http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe
The
downloaded patch has the file name, RpcServicePack.exe. This worm
deletes this file after it is run.
Before
downloading or installing the patch on the system, this worm first
checks if the system has been previously patched by checking for
specific registry keys to make sure the patch hasnt been installed.
The
worm travels through a computer network or local area network looking
for unpatched and vulnerable machines. The worm will use a ping to
determine if the active machine is on a network.Once the worm
identifies a machine as being active on the network, it will either
send data to TCP port 135, which exploits the DCOM RPC vulnerability,
or it will send data to TCP port 80 to exploit the WebDav
vulnerability.
Creates
a remote shell on the vulnerable host that will connect back to the
attacking computer on a random TCP port between 666 and 765 to receive
instructions.
Launches the TFTP server on the attacking machine, instructs the victim
machine to connect and download Dllhost.exe and Svchost.exe from the
attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the
worm may not download svchost.exe.
How
Can I Remove the Welchia or MSBLAST.D worm?
Follow
these steps in removing the Welchia or MSBLAST.D worm.
1)
Disconnect your computer from the local area network or Internet
2)
Terminate the running program
- Open a
command prompt window. Click Start>Run, type CMD and then press
the Enter key.
- At the
command prompt, type the following:
NET STOP "Network Connections Sharing"
- Press
the Enter key. A message should indicate that the service has been
stopped successfully.
- Do the
same to stop the following service:
NET STOP "WINS Client"
- Close
the command prompt window.
3) Remove
the Registry Entries
- Open
Registry Editor. To do this, click Start>Run, type REGEDIT, then
press Enter.
- In the
left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>
- In the
left panel, delete the subkeys:
RpcPatch
RpcTftpd
- Close
Registry Editor.
3) Install
the patches for the DCOM RPC Exploit or WebDAV exploit, you can
download the patches from the links below before disconnecting
DCOM
RPC Exploit
Windows XP Pro/Home Edition
Windows 2000
WebDAV
Exploit
Windows XP
Windows
2000
4) Delete
the infected files (for Windows ME and XP
remember to turn
off System Restore before searching for and
deleting these files to remove infected backed up files as well)
- Click
Start, point to Find or Search, and then click Files or Folders.
- Make
sure that "Look in" is set to (C:\WINDOWS).
- In the
"Named" or "Search for..." box, type, or copy and paste, the file names:
svchost.exe
dllhost.exe
- Click
Find Now or Search Now.
- Delete
the svchost.exe file in the c:\windows\system32\wins
directory
Delete the dllhost.exe
file in the c:\windows\system32\wins
directory
- Empty
the Recycle bin.
5) Reboot
the computer, reconnect the network, and update your antivirus software,
and run a thorough virus scan using your favorite antivirus program.
This worm
is similar to the MSBlaster worm, you can find more information about
MSBLAST.A by
visiting this page
|
Tools for Removing Spyware, Adware, and Malware
PC HELL
Other Pages
Spyware/Adware Removal Help
MSBlast.exe Worm Removal
Welchia (Dllhost.exe and SVCHost.exe) Worm Removal
Uninstall McAfee Instructions
Uninstall Norton Instructions
Uninstall Avast Instructions
Uninstall AVG Instructions
Uninstall Antivir Instructions
Uninstall Panda Instructions
How to Manually Run the Microsoft Malicious Software Removal Tool
Bloodhound.Exploit.6 Virus Removal
MyDoom Virus Removal
MiMail.C Virus Removal
Swen Worm Virus Removal
SoBig.F Worm Removal
Dumaru Virus Removal
BugBear.B Worm Removal
SoBig.E Worm Removal
Pop Up Ad Removal Info
KAK Worm Removal
MiMail.A Worm Removal
W95.MTX Virus Removal
Snow White Virus Removal
BadTrans Trojan Removal
Wininit Virus (Bymer Trojan)
Happy99 Worm Removal
VBS Netlog Worm Removal
Pretty Park Worm Removal
Sasser Worm Virus Removal
Backdoor SDBot.H Trojan Removal
VBS.Loveletter Help
Computer Security Information
Back Orifice Information
PC HELL Main Page
iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad
Download Hoyle Games including Casino 3D, Card, Board, and Solitaire games.
|