ads

Home » Worm » W32.Welchia.Worm

W32.Welchia.Worm

in - on 04.17 - No comments
adsensecode1


W32.Welchia.Worm is a worm that is able to exploit the various leaks(vulnerabilities), including:
  • DCOM RPC vulnerability(As described in Microsoft security bulletin MS03-026) using tcp port 135, attacked specifically to Windows XP
  • WebDav vulnerability(as described in security bulletin Microsoft MS03-007) using tcp port80, attacked Machines running IIS 5.0, and will have an impact on the Windows 2000 system, and NT/XP.
also known as:
W32/Welchia.worm10240[AhnLab], W32/Nachi. Worm[McAfee], WORM_MSBLAST.D[Trend], Lovsan.D[F-Secure], W32/Nachi-A[Sophos], Win32.Nachi.A[CA], Worm.Win32.Welchia[KAV]

Type: Worm
Length of infection: 10,240 bytes
Systems can be in infections: Microsoft IIS, Windows 2000, Windows XP
Uninfected systems: Linux, Macintosh, OS/2, UNIX, Windows 3.x, Windows 95, Windows 98, windows Me, Windows NT

Ports used: TCP 135(RPC DCOM), TCP 80(WebDav)

W32.Welchia.Worm currently in execution, it will do:
unite himself to:
%System%\Wins\Dllhost.exe
note, %Sytem% is a variable, the worm will search for the folder and file system unite himself, by default is C:\Winnt\System32(Windows 2000)
or
C:\Windows\System32(Windows XP). coffee file %System%\Dllcache\Tftpd.exe as %System%\Wins\svchost.exe.

note: tftpd is permitted program, making it difficult to detect by antivirus.

add subkeys:
RpcPatch
and:
RpcTftpd

to the registry key in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Make some services:

Service Name: RpcTftpd
Service Display Name: Network Connections Sharing
Service Binary: %System%\wins\svchost.exe

This service will be set to run manually.

Service Name: RpcPatch
Service Display Name: WINS Client
Service Binary: %System%\wins\dllhost.exe

This service will be set to run automatically. The last process is to delete the file% System%\msblast.exe the first place W32.Blaster.Worm

This worm did:
  • Send ICMP packet / ping, to check whether the premises computers ip is active on the network.
  • Once the worm managed to find out that the machine is active on the network it will send data to tcp    port 135 and will exploit the DCOM RPC weaknesses or, will send the date to a tcp port 80 to exploit weaknesses WebDav
  • Create a remote shell for the machine that has been in the exploitation of weaknesses and will try to connect to the attacker's machine using tcp port at random, between 666 and 765 to receive instructions.  
  • Setting up a TFTP server on the attacker's machine and instructed the exploited machine (the victim) to connect and download Dllhost.exe and Svchost.exe from the attacker's machine. If the file %System%\dllcache\tftpd.exe there, then the worm will not download svchost.exe.
  • Check the computer's operating system version, service pack number, and also prevents to connect to Microsoft's Windows Update and prevent the DCOM RPC vulnerability to patch.
To destroy this worm can be done several ways:
  • Use equipment removal W32.Welchia.Worm
  • Removing manually:
1. To disable System Restore (Windows XP).
  • why? Particular XP system restore is enabled by default, why is it dangerous? because of a virus, worm or Trojan that infects your computer may be in the backup also by system restore and that makes it more dangerous is to protect the windows of other programs, including antivirus to modify (quarantine, remove and clean)

    system restore = system restore may be the safest place for viruses et al. Therefore you must disable your system restore.

    to turn off system restore:
    • You need as an administrator(xp)
    • Go to control panel
    • Select system, in the system properties select System restore
    • Check turn off system restore
2. Update the virus definitions of the antivirus is used. you just need to visit the website of your     antivirus, or run the Live Update directly from your antivirus program to perform the update.

3. Restart your computer in save mode to stop the worm. for Windows 95/98 / me you can go into  save mode after the restart, while, for xp / nt / win 2000 you can stop working for a while with the  way the virus:
  • Enter the control panel
  • Select services in the administrative tools
  •  Scroll down until you find
    • Network Connections Sharing
    • WINS Client
  • Right-click and select stop
4. Run a full system scan and delete all the files detected as W32.Welchia.Worm. run a full scan and   antivirus configuration advance you if there is an infected file is found then delete the file   W32.Welchia.Worm

5. Delete values ​​and subkeys are created by a virus in the registry. this is a bit of risk, before you do, first backup your registry
  • Click start and type regedit -ruN
go to the key:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services

delete the following subkey:
RpcPatch
and
RpcTftpd
save changes and exit the registry

6. Delete Svchost.exe file.
go to the folder% system% wins and delete all files svchost.exe
adsensecode2
Label:

Share This Post:


About Author:


Posting Komentar

ads