Details
Worm.Win32.Welchia.b
This worm spreads via the Internet using the DCOM RPC vulnerability in Microsoft Windows, which is described in Microsoft Security Bulletin MS03-026.
The worm also attempts to infect computers where Microsoft IIS 5.0 is installated, via the WebDav vulnerability described in Microsoft Security Bulletin MS03-007.
The worm is written in Visual C++, and is approximately 12KB (12800 bytes) in size, compressed using UPX.
This version of Welchia attempts to find and delete the worms Mydoom.a and Mydoom.b from the computer.
Installation
On launching, the worm copies itself to the %System%\drivers directory under the name svchost.exe, and then creates a service named ‘WksPatch’. As a result, the worm will execute every time Windows is launched. The service display name is three words, randomly generated from the lists below:
First word:
System
Security
Remote
Routing
Performance
Network
License
Internet
Second word:
Logging
Manager
Procedure
Accounts
Event
Third word:
Provider
Sharing
Messaging
Client
For example, the display name of the service could be ‘Remote Accounts Client’ or ‘System Logging Provider’
The worm creates a unique identifier ‘WksPatch_Mutex’ to flag its presence in memory.
Deletion of Mydoom
The worm searches for files which could have been created by Mydoom.a and Mydoom.b and deletes them:
%System%\ctfmon.dll
%System%\Explorer.exe
%System%\shimgapi.dll
%System%\TaskMon.exe
Welchia.b also deletes the taskmon key from the system registry auto-run key and overwrites the hosts file with its own data (identical to default Windows data)
Windows Patch Installation
The worm then scans the Windows system registry for installed patches and service packs. If the patch for the DCOM RPC vulnerability has not been installed, Welchia will download the patch from download.microsoft.com. Once the patch is successfully downloaded and installed, the worm re-boots the computer to complete installation.
Propagation
The worm creates two different requests to be sent to remote machines. The first request contains a WebDAV exploit, and the second contains a DCOM_RPC exploit which is almost identical to the one used in Lovesan.
Welchia.b selects an IP address, sends an ICMP request and waits for a response. If the remote computer responds, the worm connects to this computer via port 135 (as did Lovesan) or via port 80 (if the remote computer uses IIS). The worm then sends a packet which loads Welchia from the host machine.
Other
The worm searches directories of the corresponding IIS for files with the following extensions:
shtml
shtm
stm
cgi
php
html
htm
asp
If the code page of the infected machine is installed in Japanese, it overwrites these files with the following text:
LET HISTORY TELL FUTURE !

1931.9.18
1937.7.7
1937.12.13 300,000 !

1941.12.7
1945.8.6 Little boy
1945.8.9 Fatso

1945.8.15
Let history tell future !
The worm ceases to function on 1st June 2004.

Related Posts

This entry was posted on Sunday, August 31st, 2008 at 7:50 am and is filed under Virus Threats.

Details
Worm.Win32.Welchia.a
Welchia.a is an Internet Worm, which spreads through the Internet using the DCOM RPC vulnerability in Microsoft Windows described in Microsoft Security Bulletin MS03-026. The worm also breaches computers via the WebDav vulnerability in Microsoft IIS 5.0 described in Microsoft Security Bulletin MS03-007.
The worm is written in Visual C++ and is about 10 KB when compressed through UPX. It spreads as a pair of files named dllhost.exe and svchost.exe.
The worm contains the following text strings:
I love my wife & baby
~~~ Welcome Chian~~~
Notice: 2004 will remove myself:-)
~~ sorry zhongli~~~

Installation
During installation the worm first copies itself to the %System%\Wins\ folder under the name dllhost.exe and creates a service named WINS Client. Then the worm copies the tftpd.exe file from the %System%\dllcache folder naming it svchost.exe and creating an additional service – Network Connections Sharing.
As a result, Welchia obtains control over the machine and execute itself every time the computer is re-booted.

Deletion of Lovesan
Welchia scans the system for the MSBLAST.EXE process, ends the process and deletes the MSBLAST.EXE file from the hard drive.

Windows Patch Installation
The worm then scans the Windows system registry for installed patches and service packs. If the patch for the DCOM RPC vulnerability has not been installed, Welchia will initiate the downloading process. Once the patch is successfully downloaded and installed, the worm re-boots the computer to complete installation.

Spreading
Welchia uses two methods to scan for IP addresses. In the first instance, the worm uses values A and B from the current address and scans the Internet for addresses beginning with A.B.0.0, working through all addresses where C and D are greater than zero.
In the second instance the worm chooses a random IP address.
The worm creates two different requests for sending to remote computers. The first request exploits the WebDAV vulnerability, the second request exploits the DCOM RPC vulnerability almost like Lovesan.
The worm finds an IP address, sends an ICMP request to it and waits for a response. If the remote machine responds, then the worm connects to it via port 135 (like Lovesan) or port 80 (if the machine uses IIS) and sends a ready-made package which loads Welchia from the host machine (via tftp).
The worm then scans the infected machine for the TFTPD.EXE file. If the TFTPD.EXE file does not exists, Welchia will download it (naming it svchost.exe) into the folder %System%\Wins\.

Other
Once the current year becomes 2004, Welchia ceases to function and deletes itself from the system.

Related Posts

This entry was posted on Sunday, August 31st, 2008 at 3:50 am and is filed under Virus Threats.