W32.Welchia.D.Worm

[Marianna]

Discovered on: February 23, 2004
Last Updated on: February 23, 2004 01:42:40 PM

W32.Welchia.D.Worm is a minor variat of W32.Welchia.C.Worm.

If the version of the operating system of the infected machine is Chinese, Korean, or English, the worm will attempt to download the Microsoft Workstation Service Buffer Overrun and Microsoft Messenger Service Buffer Overrun patches from the Microsoft® Windows Update Web site, install it, and then restart the computer.

The worm also attempts to remove W32.Mydoom.A@mm, W32.Mydoom.B@mm, W32.HLLW.Doomjuice and W32.HLLW.Doomjuice.B worms.

W32.Welchia.D.Worm exploits multiple vulnerabilities, including:


The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. The worm's use of this exploit will impact Windows 2000 systems and may impact Windows NT/XP systems.
The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445.
The Locator service vulnerability using TCP port 445 (described in Microsoft Security Bulletin MS03-001). The worm specifically targets Windows 2000 machines using this exploit.

In addition, it attempts to exploit the W32.Mydoom.A@mm backdoor (port 3127) to spread.

The presence of the file, %Windir%\system32\drivers\svchost.exe, is an indication of a possible infection.

This threat is compressed with UPX.

Symantec Security Response is still analysing this threat, please check back shortly for updates.



Type: Worm

When W32.Welchia.D.Worm runs, it does the following:


Creates a mutex named "WksPatch_Mutex." This mutex allows only one instance of the worm to execute in memory.


Copies itself as %System%\drivers\svchost.exe.


--------------------------------------------------------------------------------
Notes:
%System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
There is a legitimate system file%System%\svchost.exe, which has the same file size as the worm on Windows XP system.
--------------------------------------------------------------------------------


Creates the following service:

Service name: WksPatch
Service binary: %System%\drivers\svchost.exe
Service display name: Constructed in the form of %string1% %string2% %string3%, where:

%string1% is one of the following:

System
Security
Remote
Routing
Performance
Network
License
Internet


%string2% is one of the following:

Logging
Manager
Procedure
Accounts
Event


and %string3% is one of the following:

Provider
Sharing
Messaging
Client

For example, the service display name can be "Security Logging Sharing."


Deletes the service named "RpcPatch," if it exists.


--------------------------------------------------------------------------------
Note: W32.Welchia.Worm created this service.
--------------------------------------------------------------------------------


Checks for the existence of the W32.Mydoom.A@mm, W32.Mydoom.B@mm, W32.HLLW.Doomjuice and W32.HLLW.Doomjuice.B worms.


If any of the worms exist it attempts to remove them from the system by following these steps:

Kills the respective processes.

Deletes the associated files and cleans the registry.

Overwrites the HOSTS file with the following text:

#
#

127.0.0.1 localhost


Generates random IP addresses, and sends exploit data to the IP addresses, in an attempt to infect the systems:

sends data to TCP port 135 to exploit the DCOM RPC vulnerability using a randomized IP address.
sends data to TCP port 80 to exploit the WebDav vulnerability.
sends data to TCP port 445 to exploit the Workstation Service vulnerability.
sends data to TCP port 445 to exploit the Locator service vulnerability.
sends data to TCP port 135 to exploit the DCOM RPC vulnerability using an IP address near the same class B subnet of the IP address of the infected host.


Runs an HTTP server on a random TCP port, so that the vulnerable computers can reconnect to the infected computer, then locally download and execute the worm as WksPatch.exe.


Searches the files in the IIS Virtual Roots and %Windir%\Help\\IISHelp\common folders with the following extensions, If the version of the operating system of the infected machine is Japanese:

.shtml
.shtm
.stm
.cgi
.php
.html
.htm
.asp


--------------------------------------------------------------------------------
Note: The Virtual Roots and IIS Help folders are installed as part of Microsoft's Internet Information Services server.
--------------------------------------------------------------------------------


Overwrites the files it finds with the following .htm file:

http://securityresponse.symantec.com...a.d.worm.1.gif

Downloads one of the following patches from Microsoft's Windows Update Web site, if the version of the operating system of the infected machine is Chinese, Korean, or English:

download.microsoft.com/download/4/d/3/4d375d48-04c7-411f-959b-3467c5ef1e9a
/WindowsXP-KB828035-x86-CHS.exe
download.microsoft.com/download/a/4/3/a43ea017-9abd-4d28-a736-2c17dd4d7e59
/WindowsXP-KB828035-x86-KOR.exe
download.microsoft.com/download/e/a/e/eaea4109-0870-4dd3-88e0-a34035dc181a
/WindowsXP-KB828035-x86-ENU.exe
download.microsoft.com/download/9/c/5/9c579720-63e9-478a-bdcb-70087ccad56c
/Windows2000-KB828749-x86-CHS.exe
download.microsoft.com/download/0/8/4/084be8b7-e000-4847-979c-c26de0929513
/Windows2000-KB828749-x86-KOR.exe
download.microsoft.com/download/3/c/6/3c6d56ff-ff8e-4322-84cb-3bf9a915e6d9
/Windows2000-KB828749-x86-ENU.exe


Installs the patch, and then restarts the computer.


The worm will self-terminate on June 1, 2004, or after running 120 days, whichever comes first.

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.d.worm.html