the Welchia worm aka MSBlast.D, LoveSan.D or Nachia?
|The Welchia (MSBLAST.D or Nachi) worm infects
machines via network connections. It can attack entire networks of
computers or one single computer connected to the Internet. Similar to
the original MSBlast worm it exploits a known windows vulnerability
that is easily patched, however few systems seem to have this patch
installed. It attacks Windows 2000 and Windows XP machines and exploits
DCOM RPC Vulnerablity. It uses TFTP (Trivial File
Transfer Protocol) to download its files into a system. It also
exploits one more vulnerability known as the WebDAV
exploit to travel from system to system.
this worm attempts to patch the RPC
DCOM Buffer Overflow. It first checks for the running Windows
version and then downloads a patch from Microsoft. In essence this worm
patches your computer against the MSBlast.A worm.
When the current system year is 2004, the worm removes itself from the
the Windows patches for these vulnerabilities by clicking on the links
Windows XP: DCOM/RPC Exploit patch
Windows 2000: DCOM/RPC Exploit
XP: WebDAV Exploit patch (IIS
Remote Exploit from ntdll.dll)
2000: WebDAV Exploit patch (IIS
Remote Exploit from ntdll.dll)
are the DCOM Vulnerability and WebDAV Exploits?
vulnerability in Windows 2000 and XP can allow an attacker to remotely
compromise a computer running Microsoft® Windows® and
gain complete control over it. The worm causes a buffer overrun in the
Remote Procedure Call (RPC) service. When this service is terminated
the virus infects the machine and then tries to infect other machines.
exploit is a security issue identified in Microsoft® Windows
XP, 2000, and NT running IIS 5.0 that could allow an attacker to take
control of your computer. This issue is most likely to affect computers
used as Web servers.
Does the Welchia Worm Infect My Computer?
itself to the Wins directory in the System or System32 folder in
C:\Windows\System32\Wins\Dllhost.exe for Windows XP or
C:\WinNT\System32\Wins\Dllhost.exe for Windows
There is a legitimate file called Dllhost.exe
(about 5-6K) in the System32 directory.
- Makes a
copy of the TFTP server (TFTPD.exe) from the Dllcache directory to the
C:\Windows\System32\Wins\svchost.exe for Windows
C:\WinNT\System32\Wins\svchost.exe for Windows
NOTE: Svchost.exe is a legitimate program,
which is not malicious, found in the System32 directory
the following services:
Service Name: RpcTftpd
Display Name: Network Connections Sharing
This service will be set to start manually.
Service Name: RpcPatch
Display Name: WINS Client
This service will be set to start automatically.
- Ends the
process, MSBLAST, and delete the file %System%\msblast.exe which is
dropped by the worm, MSBlast.A.
First, it checks the operating system version,
then it downloads the appropriate patch from the designated Microsoft
Web site. After executing the patch, it reboots the system.
the patches it downloads into the system are as follows:
downloaded patch has the file name, RpcServicePack.exe. This worm
deletes this file after it is run.
downloading or installing the patch on the system, this worm first
checks if the system has been previously patched by checking for
specific registry keys to make sure the patch hasnt been installed.
worm travels through a computer network or local area network looking
for unpatched and vulnerable machines. The worm will use a ping to
determine if the active machine is on a network.Once the worm
identifies a machine as being active on the network, it will either
send data to TCP port 135, which exploits the DCOM RPC vulnerability,
or it will send data to TCP port 80 to exploit the WebDav
a remote shell on the vulnerable host that will connect back to the
attacking computer on a random TCP port between 666 and 765 to receive
Launches the TFTP server on the attacking machine, instructs the victim
machine to connect and download Dllhost.exe and Svchost.exe from the
attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the
worm may not download svchost.exe.
Can I Remove the Welchia or MSBLAST.D worm?
these steps in removing the Welchia or MSBLAST.D worm.
Disconnect your computer from the local area network or Internet
Terminate the running program
- Open a
command prompt window. Click Start>Run, type CMD and then press
the Enter key.
- At the
command prompt, type the following:
NET STOP "Network Connections Sharing"
the Enter key. A message should indicate that the service has been
- Do the
same to stop the following service:
NET STOP "WINS Client"
the command prompt window.
the Registry Entries
Registry Editor. To do this, click Start>Run, type REGEDIT, then
- In the
left panel, double-click the following:
- In the
left panel, delete the subkeys:
the patches for the DCOM RPC Exploit or WebDAV exploit, you can
download the patches from the links below before disconnecting
Windows XP Pro/Home Edition
the infected files (for Windows ME and XP
remember to turn
off System Restore before searching for and
deleting these files to remove infected backed up files as well)
Start, point to Find or Search, and then click Files or Folders.
sure that "Look in" is set to (C:\WINDOWS).
- In the
"Named" or "Search for..." box, type, or copy and paste, the file names:
Find Now or Search Now.
the svchost.exe file in the c:\windows\system32\wins
Delete the dllhost.exe
file in the c:\windows\system32\wins
the Recycle bin.
the computer, reconnect the network, and update your antivirus software,
and run a thorough virus scan using your favorite antivirus program.
is similar to the MSBlaster worm, you can find more information about
visiting this page
Tools for Removing Spyware, Adware, and Malware
Spyware/Adware Removal Help
MSBlast.exe Worm Removal
Welchia (Dllhost.exe and SVCHost.exe) Worm Removal
Uninstall McAfee Instructions
Uninstall Norton Instructions
Uninstall Avast Instructions
Uninstall AVG Instructions
Uninstall Antivir Instructions
Uninstall Panda Instructions
How to Manually Run the Microsoft Malicious Software Removal Tool
Bloodhound.Exploit.6 Virus Removal
MyDoom Virus Removal
MiMail.C Virus Removal
Swen Worm Virus Removal
SoBig.F Worm Removal
Dumaru Virus Removal
BugBear.B Worm Removal
SoBig.E Worm Removal
Pop Up Ad Removal Info
KAK Worm Removal
MiMail.A Worm Removal
W95.MTX Virus Removal
Snow White Virus Removal
BadTrans Trojan Removal
Wininit Virus (Bymer Trojan)
Happy99 Worm Removal
VBS Netlog Worm Removal
Pretty Park Worm Removal
Sasser Worm Virus Removal
Backdoor SDBot.H Trojan Removal
Computer Security Information
Back Orifice Information
PC HELL Main Page
iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad
Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.