PDA

View Full Version : VIRUS W32.Welchia.Worm


AplusWebMaster
August 18th, 2003, 08:12 PM
;) FYI...covered by most AV vendors (in their def updates for 8/18/2003 - already Cat 2 at Symantec and F-Secure) is the W32.Welchia.Worm -
'Got an e-mail from the F-Secure folks about it today:

(Partial quote:)
"For release August 18, 2003
A new worm installs security patches
An anti-virus-virus is spreading
- F-Secure has analysed a new Windows network worm, known as Welchi or Nachi.
This worm is similar to the Lovsan or Blaster worm, which has been spreading
massively in the internet for the last week.
- Welchi uses the same RPC hole to infect machines, although Welchi only
infects machines running Windows XP operating system. However, Welchi also
tries to infect web servers running Microsoft IIS 5.0, by exploiting a WebDAV
vulnerability found in March 2003.
- Welchi is clearly much more advanced than the relatively simple Lovsan worm.
In particular, it has three features, which make it interesting:

1) Welchi kills Lovsan.A.
As this new worm is using the same hole as Lovsan, it will obviously end up
infecting machines, which are already infected by Lovsan. Welchi removes this
infection.
2) Welchi installs the Microsoft RPC security patch.
After infecting a machine, the worm will try to apply the Microsoft patch to
close the RPC hole. It will attempt to download the patch from Microsoft web
site. As the patch is different for different localized versions of Windows,
the worm will check the local language and apply a suitable patch for
English, Korean, Chinese and Simplified Chinese versions of Windows.
3) Welchi dies.
This worm has a built-in expiration date. After January 1st, 2004, the worm
will uninstall and remove itself from infected systems. Users can use this
feature to easily remove the worm: change the date to 2004 and reboot the
system. After this the date can be set back.
- "So, we seem to have an anti-virus-virus here", says Mikko Hypponen, Director
of Anti-Virus Research at F-Secure Corporation. "We've seen similar things
before, but not to the extent of actually applying Microsoft's own patches to
the system. Unfortunately Welchi is not perfect and will create some
additional problems."
- The Welchi virus contains these hidden texts:
'I love my wife & baby
~~~ Welcome Chian~~~
Notice: 2004 will remove myself:)
~~ sorry zhongli~~~'
..."

yorkdale
August 18th, 2003, 08:29 PM
So we are left with a question or two. Who wrote this, a white hat or black hat? Sounds helpful in fixing the patching problem, using worm technology to work against itself. OTOH could be a piece of behavior psychology, letting us think there are "good viruses" out there so we become less vigilant or more willing to accept the concept of "ends justify the means"?

The overriding conclusion has to be, whatever good comes from this or any other worm, it is still invasive code and should be defended against as if its intent or design is malevolent. I personally place this one in the same category as the course in virus writing being offered by the University of Calgary.

AplusWebMaster
August 18th, 2003, 11:10 PM
:( FYI...from the Internet Storm Center:

Increase in ICMP scans
Updated August 18th 2003 14:46 EDT
http://isc.sans.org/diary.html?date=2003-08-18
Over the last few hours, sensors detected a remarkable increase in ICMP traffic. At this point, we assume that the traffic is linked to the 'Nachi' worm:http://vil.nai.com/vil/content/v_100559.htm. The worm is also known as 'Welchia' ( http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html (http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html) )
While the investigation is still in progress, we did identify so far the following characteristics:
- some of the traffic is spoofed
- the data content is all '170' (0xAA)
- ICMP echo requests (type 8, code 0)..."

EDIT/ADD: Moving with the speed of thought - "Due to an increase in submissions, Symantec Security Response has upgraded W32.Welchia.Worm to Category 4, as of 6:00pm Monday, August 18, 2003."
Per:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

Rickster
August 18th, 2003, 11:42 PM
Thanks AplusWebMaster-Man! That makes it clear now and I'm very grateful. Must be the year of the worm. In less than a week we went from MSBlaster A to D...someone is having a good time out there.

Best Regards, Rickster

AplusWebMaster
August 30th, 2003, 02:08 AM
:( ...No doubt what has caused Web performance problems lately:

See the site; in particular:
"Rolling 28-day Latency, Packet Loss, and Reachability"
http://average.matrixnetsystems.com/

{QUOTE-> - Nachia (aka W32/Welchia.worm, W32/Nachi.worm, WORM_MSBLAST.D, Lovsan.D, W32/Nachi-A, Win32.Nachi.A, Worm.Win32.Welchia)
Nachia continues to flood networks with ICMP messages and port 135 scans. Based on our measurements, the number of hosts infected by Nachia and MSBlaster is not decreasing...at around 150,000. <-QUOTE}
- From this post:
http://www.wilderssecurity.com/showthread.php?t=12613;start=msg82932#msg82932