Name: Worm.Win32.Welchia. Category: Viruses Description: Details Worm.Win32.Welchia.b This worm spreads via the Internet using the DCOM RPC vulnerability in Microsoft Windows, which is described in Microsoft Security Bulletin MS03-026. The worm also attempts to infect computers where Microsoft IIS 5.0 is installated, via the WebDav vulnerability described in Microsoft Security Bulletin MS03-007. The worm is written in Visual C++, and is approximately 12KB (12800 bytes) in size, compressed using UPX. This version of Welchia attempts to find and delete the worms Mydoom.a and Mydoom.b from the computer. Installation On launching, the worm copies itself to the %System%drivers directory under the name svchost.exe, and then creates a service named 'WksPatch'. As a result, the worm will execute every time Windows is launched. The service display name is three words, randomly generated from the lists below: First word: System Security Remote Routing Performance Network License Internet Second word: Logging Manager Procedure Accounts Event Third word: Provider Sharing Messaging Client For example, the display name of the service could be 'Remote Accounts Client' or 'System Logging Provider' The worm creates a unique identifier 'WksPatch_Mutex' to flag its presence in memory. Deletion of Mydoom The worm searches for files which could have been created by Mydoom.a and Mydoom.b and deletes them: %System%ctfmon.dll %System%Explorer.exe %System%shimgapi.dll %System%TaskMon.exe Welchia.b also deletes the taskmon key from the system registry auto-run key and overwrites the hosts file with its own data (identical to default Windows data) Windows Patch Installation The worm then scans the Windows system registry for installed patches and service packs. If the patch for the DCOM RPC vulnerability has not been installed, Welchia will download the patch from download.microsoft.com. Once the patch is successfully downloaded and installed, the worm re-boots the computer to complete installation. Propagation The worm creates two different requests to be sent to remote machines. The first request contains a WebDAV exploit, and the second contains a DCOM_RPC exploit which is almost identical to the one used in Lovesan. Welchia.b selects an IP address, sends an ICMP request and waits for a response. If the remote computer responds, the worm connects to this computer via port 135 (as did Lovesan) or via port 80 (if the remote computer uses IIS). The worm then sends a packet which loads Welchia from the host machine. Other The worm searches directories of the corresponding IIS for files with the following extensions: shtml shtm stm cgi php html htm asp If the code page of the infected machine is installed in Japanese, it overwrites these files with the following text: LET HISTORY TELL FUTURE ! 1931.9.18 1937.7.7 1937.12.13 300,000 ! 1941.12.7 1945.8.6 Little boy 1945.8.9 Fatso 1945.8.15 Let history tell future ! The worm ceases to function on 1st June 2004.