Welchia
Welchia
Type Internet worm
Creator
Date Discovered 2003.08.18
Place of Origin
Source Language C++
Platform MS Windows
File Type(s) .exe
Infection Length 12,800 bytes
Reported Costs

The Welchia worm (also known as Nachi) is a Nematode that deletes Blaster and patches the vulnerabilities that made Blaster possible. While it does not have any intentionally harmful effects, it tends to slow down computers and networks.

Behavior

A machine that Welchia is about to infect will receive a ICMP echo request, or PING, which is the worm checking if it has a valid IP address. The worm on the infecting computer will send exploit code to the target computer in one of two ways. It may exploit the DCOM RPC vulnerability (the one that Blaster used to spread) will send its exploit code through port 135. If the machine is running IIS, it may exploit a vulnerability in WebDav, in which case it will send its code through port 80. It creates a remote shell which connects to the attacking machine on any random port between 666 and 765 that listens for instructions from the worm on the attacking computer. In most cases, it is port 707. It then instructs the target to download the worm via TFTP to the system folder subdirectory "Wins" as dllhost.exe and execute it.

Welchia checks if the file tftpd.exe exists in the system folder subdirectory "dllcache". If it does not, it will download that file also as svchost.exe to Wins. This is to make sure that there is a TFTP server to send a copy of itself to a new computer.

Welchia ends the msblast process and deletes the file msblast.exe. It checks the registry to see if the patch for the DCOM RPC vulnerability has been installed. If not, it will download and install them. When the patch has been successfully installed, Welchia will reboot the computer, which completes the installation.

The worm begins spreading to other systems by selecting IP addresses. It will base the IP addresses on that of the current system, taking the first two numbers and generating the last two by counting from 0 to 255. It sends an ICMP echo request, or PING to each of them, and begins the exploiting procedure if it receives a response.

Welchia deletes itself when the year changes to 2004.

Effects

Welchia infected the intranet of the Navy Marine Corps and consumed three quarters of its capacity, rendering it useless for some time. No specific number of infected systems was given.

The worm also infected the network of the State Department, causing the department to shut down the network for nine hours. While no classified files were compromised, the "Consular Check System", used for performing background checks on foreigners seeking visas, was affected. This caused a nine hour delay in processing and issuing visas.

Name

Welchia was likely named by antivirus companies for the "'''Wel'''come '''Chia'''n text found in the worm body. It is also called Nachi or may be considered the variant Blaster.D.

Antivirus Aliases

*ClamAV: Worm.Blaster.D
*Doctor Web: Win32.HLLW.LoveSan.2
*Kaspersky: Net-Worm.Win32.Welchia.a
*McAfee: W32/Nachi.worm.a
*Sophos: W32/Nachi-A
*Symantec: W32.Welchia.Worm
*Trend Micro: WORM_NACHI.A

Variants

Welchia is described by some Antivirus Vendors as a variant of Blaster. Welchia.B deletes Mydoom.A. It also displays a message that says "LET HISTORY TELL FUTURE !" and makes a reference to the atomic bombings of Japan.

Other Facts

The worm contains the following text strings:

I love my wife & baby :-)
Welcome Chian
Notice: 2004 will remove myself:-)
sorry zhongli

While Welchia deletes Blaster and even itself after a certain amount of time, some security experts described it as being a case in which the cure is worse than the disease. They cite the worm's resource consumption, the unexpected shutdown and the fact that it comes from an unknown source and say that it is therefore untrustworthy.

Beneficial viruses and worms have long been controversial. SecurityFocus has given these worms the name "Nematode", after a species of worm that kills garden pests. Vesselin Bontchev concluded in a 1994 paper that they are possible and finds such uses for them in areas such as anti–virus, file compression, disk encryption, and system maintenance. In fact, the Xerox PARC worms of 1979 were to be an example of a worm intended to be used for beneficial purposes.

Welchia was also not the first or last self-replicator to delete another self-replicator. This goes back to the very first worms, circa 1970, Creeper, which became the target of Reaper. Denzuko, created in the late 1980's, targeted Brain, the first IBM PC virus. Some variants of the Netsky and Sasser worms attack Beagle and Mydoom. Gigabyte's YahaSux attacks the Yaha worm.

Sources

Frederic Perriot, Douglas Knowles. Symantec Antivirus, W32.Welchia.Worm.

Kaspersky Lab. Securelist.com, Net-Worm.Win32.Welchia.a.

Ellen Messmer. NetworkWorld, "Navy Marine Corps Intranet hit by Welchia worm". 2003.08.19.

Elise Labott. CNN, "'Welchia worm' hits U.S. State Dept. network". 2003.09.24

Security Focus. The Register, Good worms back on the agenda. 2006.01.30

Vesselin Bontchev. Virus Test Center, University of Hamburg (from the blog of Manoj Maurya), Are "Good" Computer Viruses Still a Bad Idea?. 1994

Fridrik Skulason. Virus Bulletin, The Search for Den Zuk. 1991.02

Yui Kee Computing, Fools Rush In: W32/Welchia a Practical Demonstration in Stupidity. 2003.08.19

John Leyden. The Register, Nachi variant wipes MyDoom from PCs. 2004.02.12

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License