| The Welchia (MSBLAST.D or Nachi) worm infects
machines via network connections. It can attack entire networks of
computers or one single computer connected to the Internet. Similar to
the original MSBlast worm it exploits a known windows vulnerability
that is easily patched, however few systems seem to have this patch
installed. It attacks Windows 2000 and Windows XP machines and exploits
the
DCOM RPC Vulnerablity. It uses TFTP (Trivial File
Transfer Protocol) to download its files into a system. It also
exploits one more vulnerability known as the WebDAV
exploit to travel from system to system.
Ironically, this worm attempts to patch the RPC DCOM Buffer Overflow. It first checks for the running Windows version and then downloads a patch from Microsoft. In essence this worm patches your computer against the MSBlast.A worm. When the current system year is 2004, the worm removes itself from the system. |
Download the Windows patches for these vulnerabilities by clicking on the links below:
Windows 2000: DCOM/RPC Exploit patch
Windows XP: WebDAV Exploit patch (IIS Remote Exploit from ntdll.dll)
Windows 2000: WebDAV Exploit patch (IIS Remote Exploit from ntdll.dll)
What are the DCOM Vulnerability and WebDAV Exploits?
The DCOM vulnerability in Windows 2000 and XP can allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. The worm causes a buffer overrun in the Remote Procedure Call (RPC) service. When this service is terminated the virus infects the machine and then tries to infect other machines.
The WebDAV exploit is a security issue identified in Microsoft® Windows XP, 2000, and NT running IIS 5.0 that could allow an attacker to take control of your computer. This issue is most likely to affect computers used as Web servers.
How Does the Welchia Worm Infect My Computer?
- Copies
itself to the Wins directory in the System or System32 folder in
Windows usually
C:\Windows\System32\Wins\Dllhost.exe for Windows XP or
C:\WinNT\System32\Wins\Dllhost.exe for Windows NT/2000
There is a legitimate file called Dllhost.exe (about 5-6K) in the System32 directory.
- Makes a
copy of the TFTP server (TFTPD.exe) from the Dllcache directory to the
following directories.
C:\Windows\System32\Wins\svchost.exe for Windows XP or
C:\WinNT\System32\Wins\svchost.exe for Windows NT/2000
NOTE: Svchost.exe is a legitimate program, which is not malicious, found in the System32 directory
- Creates
the following services:
Service Name: RpcTftpd
Display Name: Network Connections Sharing
File: %System%\wins\svchost.exe
This service will be set to start manually.
Service Name: RpcPatch
Display Name: WINS Client
File: %System%\wins\dllhost.exe
This service will be set to start automatically.
- Ends the
process, MSBLAST, and delete the file %System%\msblast.exe which is
dropped by the worm, MSBlast.A.
First, it checks the operating system version,
then it downloads the appropriate patch from the designated Microsoft
Web site. After executing the patch, it reboots the system.
Some of the patches it downloads into the system are as follows:
- http://download.microsoft.com/download/6/9/5/6957d785-fb7a-4ac9-b1e6-cb99b62f9f2a/Windows2000-KB823980-x86-KOR.exe
- http://download.microsoft.com/download/5/8/f/58fa7161-8db3-4af4-b576-0a56b0a9d8e6/Windows2000-KB823980-x86-CHT.exe
- http://download.microsoft.com/download/2/8/1/281c0df6-772b-42b0-9125-6858b759e977/Windows2000-KB823980-x86-CHS.exe
- http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe
- http://download.microsoft.com/download/e/3/1/e31b9d29-f650-4078-8a76-3e81eb4554f6/WindowsXP-KB823980-x86-KOR.exe
- http://download.microsoft.com/download/2/3/6/236eaaa3-380b-4507-9ac2-6cec324b3ce8/WindowsXP-KB823980-x86-CHT.exe
- http://download.microsoft.com/download/a/a/5/aa56d061-3a38-44af-8d48-85e42de9d2c0/WindowsXP-KB823980-x86-CHS.exe
- http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe
The downloaded patch has the file name, RpcServicePack.exe. This worm deletes this file after it is run.
Before downloading or installing the patch on the system, this worm first checks if the system has been previously patched by checking for specific registry keys to make sure the patch hasnt been installed.
The worm travels through a computer network or local area network looking for unpatched and vulnerable machines. The worm will use a ping to determine if the active machine is on a network.Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability.
Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions.
Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe.
How Can I Remove the Welchia or MSBLAST.D worm?
Follow these steps in removing the Welchia or MSBLAST.D worm.
1) Disconnect your computer from the local area network or Internet
2) Terminate the running program
- Open a command prompt window. Click Start>Run, type CMD and then press the Enter key.
- At the
command prompt, type the following:
NET STOP "Network Connections Sharing" - Press the Enter key. A message should indicate that the service has been stopped successfully.
- Do the
same to stop the following service:
NET STOP "WINS Client" - Close the command prompt window.
3) Remove the Registry Entries
- Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
- In the
left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services> - In the
left panel, delete the subkeys:
RpcPatch
RpcTftpd - Close Registry Editor.
3) Install the patches for the DCOM RPC Exploit or WebDAV exploit, you can download the patches from the links below before disconnecting
DCOM RPC Exploit
WebDAV Exploit
4) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)
- Click
Start, point to Find or Search, and then click Files or Folders.
- Make
sure that "Look in" is set to (C:\WINDOWS).
- In the
"Named" or "Search for..." box, type, or copy and paste, the file names:
svchost.exe
dllhost.exe
- Click
Find Now or Search Now.
- Delete
the svchost.exe file in the c:\windows\system32\wins
directory
Delete the dllhost.exe file in the c:\windows\system32\wins directory
- Empty the Recycle bin.
5) Reboot the computer, reconnect the network, and update your antivirus software, and run a thorough virus scan using your favorite antivirus program.
This worm is similar to the MSBlaster worm, you can find more information about MSBLAST.A by visiting this page
| Search PCHell.com |
|
| site search by freefind | advanced |
Tools for Removing Spyware, Adware, and Malware
PC HELL
Other Pages
Welchia (Dllhost.exe and SVCHost.exe) Worm Removal
Uninstall Antivir Instructions
How to Manually Run the Microsoft Malicious Software Removal Tool
Bloodhound.Exploit.6 Virus Removal
Backdoor SDBot.H Trojan Removal
iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad
Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.
