Welchia, also known as the "Nachi worm", is a
computer worm
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...
that exploits a vulnerability in the
Microsoft
Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washi ...
remote procedure call
In distributed computing, a remote procedure call (RPC) is when a computer program causes a procedure ( subroutine) to execute in a different address space (commonly on another computer on a shared network), which is coded as if it were a normal ...
(RPC) service similar to the
Blaster worm. However, unlike Blaster, it first searches for and deletes Blaster if it exists, then tries to download and install
security" \n\n\nsecurity.txt is a proposed standard for websites' security information that is meant to allow security researchers to easily report security vulnerabilities. The standard prescribes a text file called \"security.txt\" in the well known locat ...
patches from
Microsoft
Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washi ...
that would prevent further infection by Blaster, so it is classified as a
helpful worm
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It w ...
. Welchia was successful in deleting Blaster, but Microsoft claimed that it was not always successful in applying their security patch.
This worm infected systems by exploiting vulnerabilities in Microsoft Windows system code (
TFTPD.EXE and TCP on ports 666–765, and a buffer overflow of the RPC on port 135). Its method of infection is to create a remote shell and instruct the system to download the worm using TFTP.EXE. Specifically, the Welchia worm targeted machines running Windows XP. The worm used
ICMP, and in some instances flooded networks with enough ICMP traffic to cause problems.
Once on the system, the worm patches the vulnerability it used to gain access (thereby actually securing the system against other attempts to exploit the same method of intrusion) and run its payload, a series of Microsoft patches. It then attempts to remove the
Blaster Worm by deleting MSBLAST.EXE. If still in the system, the worm is programmed to self-remove on January 1, 2004, or after 120 days of processing, whichever comes first.
In September 2003, the worm was discovered on the US State Department's computer network, causing them to shut down their network for 9 hours for remediation.
See also
*
Helpful worm
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It w ...
*
Blaster (computer worm)
*
Sasser (computer worm)
Sasser is a computer worm that affects computers running vulnerable versions of the Microsoft operating systems Windows XP and Windows 2000. Sasser spreads by exploiting the system through a vulnerable port. Thus it is particularly virulent ...
*
Timeline of notable computer viruses and worms
A timeline is a display of a list of events in chronological order. It is typically a graphic design showing a long bar labelled with dates paralleling it, and usually contemporaneous events.
Timelines can use any suitable scale representi ...
References
External links
Symantec information on Welchia / Nachi
{{Hacking in the 2000s
Exploit-based worms