Welchia (computer worm)
Encyclopedia
The Welchia worm, also known as the "Nachia worm," is a computer worm
that exploits a vulnerability in the Microsoft
Remote procedure call
(RPC) service similar to the Blaster worm. However unlike Blaster, it tries to download and install security
patches
from Microsoft, so it is classified as a helpful worm
. Though even as it implies no harm, it can increase network traffic, reboot
the infected computer
, and more importantly—it operates without consent and does not log anything. It has had several different variants and childworms. It was discovered on August 18, 2003.
This worm infected systems by exploiting vulnerabilities in Microsoft Windows system code (TFTPD.EXE and TCP on ports 666-765, and a buffer overflow of the RPC on port 135). Its method of infection is to create a remote shell and instruct the system to download the worm by TFTPD.EXE. TFTPD is only on certain operating systems, and, without it, the connection fails at this stage. Specifically, the Welchia worm targeted machines running Windows XP.
Once in the system, the worm would patch the vulnerability it used to gain access (thereby actually securing the system against other attempts to exploit the same method of intrusion) and run its payload, a series of Microsoft patches. It then would attempt to remove the "W32/Lovsan.worm.a"
by deleting MSBLAST.EXE. If still in the system, the worm was programmed to self-remove on January 1, 2004, or after 120 days of processing, whichever would have come first.
While this worm did no apparent damage to individual systems — indeed, it actually helped to secure certain systems — it did create vast amounts of traffic by its transmission method, thereby slowing down the Internet
and the Microsoft website. The worm also made some systems unstable by its workings, and, once the patches had been installed, it rebooted the system. Because of these effects, the worm was perceived as a threat, and a patch was released by all major anti-virus vendors.
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
that exploits a vulnerability in the Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
Remote procedure call
Remote procedure call
In computer science, a remote procedure call is an inter-process communication that allows a computer program to cause a subroutine or procedure to execute in another address space without the programmer explicitly coding the details for this remote interaction...
(RPC) service similar to the Blaster worm. However unlike Blaster, it tries to download and install security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
patches
Patch (computing)
A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...
from Microsoft, so it is classified as a helpful worm
Helpful worm
A helpful worm is variant on a computer worm which delivers its payload by doing "helpful" actions instead of malicious actions. Welchia was a major example of a helpful worm - utilizing the same exploit that caused the Blaster worm...
. Though even as it implies no harm, it can increase network traffic, reboot
Booting
In computing, booting is a process that begins when a user turns on a computer system and prepares the computer to perform its normal operations. On modern computers, this typically involves loading and starting an operating system. The boot sequence is the initial set of operations that the...
the infected computer
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
, and more importantly—it operates without consent and does not log anything. It has had several different variants and childworms. It was discovered on August 18, 2003.
This worm infected systems by exploiting vulnerabilities in Microsoft Windows system code (TFTPD.EXE and TCP on ports 666-765, and a buffer overflow of the RPC on port 135). Its method of infection is to create a remote shell and instruct the system to download the worm by TFTPD.EXE. TFTPD is only on certain operating systems, and, without it, the connection fails at this stage. Specifically, the Welchia worm targeted machines running Windows XP.
Once in the system, the worm would patch the vulnerability it used to gain access (thereby actually securing the system against other attempts to exploit the same method of intrusion) and run its payload, a series of Microsoft patches. It then would attempt to remove the "W32/Lovsan.worm.a"
Blaster (computer worm)
The Blaster Worm was a computer worm that spread on computers running the Microsoft operating systems: Windows XP and Windows 2000, during August 2003....
by deleting MSBLAST.EXE. If still in the system, the worm was programmed to self-remove on January 1, 2004, or after 120 days of processing, whichever would have come first.
While this worm did no apparent damage to individual systems — indeed, it actually helped to secure certain systems — it did create vast amounts of traffic by its transmission method, thereby slowing down the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
and the Microsoft website. The worm also made some systems unstable by its workings, and, once the patches had been installed, it rebooted the system. Because of these effects, the worm was perceived as a threat, and a patch was released by all major anti-virus vendors.
See also
- Helpful wormHelpful wormA helpful worm is variant on a computer worm which delivers its payload by doing "helpful" actions instead of malicious actions. Welchia was a major example of a helpful worm - utilizing the same exploit that caused the Blaster worm...
- Timeline of notable computer viruses and wormsTimeline of notable computer viruses and wormsThis is a timeline of noteworthy computer viruses, worms and Trojan horses.- 1966 :* The work of John von Neumann on the "Theory of self-reproducing automata" is published...