Welchia

The Welchia worm, also known as the "Nachia worm", is a computer worm that exploits a vulnerability in the Microsoft Remote procedure call (RPC) service similar to the Blaster worm. However, unlike Blaster, it first searches for and deletes Blaster if it exists, then tries to download and install security patches from Microsoft that would prevent further infection by Blaster, so it is classified as a helpful worm. Welchia was successful in deleting Blaster, but Microsoft claimed that it was not always successful in applying their security patch.[1]

This worm infected systems by exploiting vulnerabilities in Microsoft Windows system code (TFTPD.EXE and TCP on ports 666–765, and a buffer overflow of the RPC on port 135). Its method of infection is to create a remote shell and instruct the system to download the worm using TFTP.EXE. Specifically, the Welchia worm targeted machines running Windows XP. The worm used ICMP, and in some instances flooded networks with enough ICMP traffic to cause problems. [2]

Once on the system, the worm patches the vulnerability it used to gain access (thereby actually securing the system against other attempts to exploit the same method of intrusion) and run its payload, a series of Microsoft patches. It then attempts to remove the Blaster Worm by deleting MSBLAST.EXE. If still in the system, the worm is programmed to self-remove on January 1, 2004, or after 120 days of processing, whichever comes first.

See also

References

  1. Bransford, Gene (December 18, 2003). "The Welchia Worm". Global Information Assurance Certification. SANS Institute. p. 27. Retrieved 9 June 2014.
  2. Naraine, Ryan (19 August 2003). "'Friendly' Welchia Worm Wreaking Havoc". InternetNews.com. Retrieved 3 October 2016.

External links


This article is issued from Wikipedia - version of the 10/3/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.