Latest news
New Worm Installs Security Patches
Posted on 19.08.2003
F-Secure has analysed a new Windows network worm, known as Welchi or Nachi. This worm is similar to the Lovsan or Blaster worm, which has been spreading massively in the internet for the last week.
Welchi uses the same RPC hole to infect machines, although Welchi only infects machines running Windows XP operating system. However, Welchi also tries to infect web servers running Microsoft IIS 5.0, by exploiting a WebDAV vulnerability found in March 2003.
Welchi is clearly much more advanced than the relatively simple Lovsan worm. In particular, it has three features, which make it interesting:
1) Welchi kills Lovsan.A.
As this new worm is using the same hole as Lovsan, it will obviously end up infecting machines, which are already infected by Lovsan. Welchi removes this infection.
2) Welchi installs the Microsoft RPC security patch.
After infecting a machine, the worm will try to apply the Microsoft patch to close the RPC hole. It will attempt to download the patch from Microsoft web site. As the patch is different for different localized versions of Windows, the worm will check the local language and apply a suitable patch for English, Korean, Chinese and Simplified Chinese versions of Windows.
3) Welchi dies.
This worm has a built-in expiration date. After January 1st, 2004, the worm will uninstall and remove itself from infected systems. Users can use this feature to easily remove the worm: change the date to 2004 and reboot the system. After this the date can be set back.
"So, we seem to have an anti-virus-virus here", says Mikko Hypponen, Director of Anti-Virus Research at F-Secure Corporation. "We've seen similar things before, but not to the extent of actually applying Microsoft's own patches to the system. Unfortunately Welchi is not perfect and will create some additional problems."
The Welchi virus contains these hidden texts:
I love my wife & baby :)
~~~ Welcome Chian~~~
Notice: 2004 will remove myself:)
~~ sorry zhongli~~~
QUESTIONS AND ANSWERS ON THE WELCHI WORM
Q: Is this a variant of the Lovsan worm?
A: No. It has similarities and uses the some RPC hole, but it's not a variant.
Q: How does it spread to workstations?
A: If an unprotected machine is connected to the internet, the worm will access it directly with connections to TCP port 135 and infect it remotely. The user sees nothing.
Q: How does it spread to web servers?
A: If an unpatched IIS 5.0 machine is connected to the internet, the worm will access it directly and use the WebDAV vulnerability to infect it remotely.
Q: Which Windows platforms are vulnerable?
A: Apparently only Windows XP.
Q: Does Microsoft have a patch to close the RPC hole?
A: Yes, at http://www.microsoft.com/security/incident/blast.asp
Q: Does Microsoft have a patch to close the WebDAV hole?
A: Yes, at http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
Q: Could it get behind firewalls?
A: Yes, just like Lovsan (on laptops, through external net connections made from behind the firewall). In some cases the web server might serve as a gateway to pass the infection from the public internet to intranets.
Q: What kind of emails does this worm send?
A: None. This is not an email worm. It never sends any emails.
Q: I'm running German version of Windows. Will this worm patch my machine?
A: No. It will still infect it though.
Q: Is it ok to remove this virus by changing the date momentarily to 2004?
A: Yes, it seems to work fine.
Q: Is this a good virus?
A: No.
Q: Why not?
A: For many reasons. It's unauthorised. It's not tested. It creates compatibility problems. It might crash RPC services. It creates unnecessary network traffic (lots of it). And for many other reasons. For full discussion on this, see Dr. Vesselin Bontchev's infamous paper 'Are "Good" Computer Viruses Still a Bad Idea?', available at http://www.virusbtn.com/old/OtherPapers/GoodVir/
Q: Where is this worm from?
A: Probably from South Korea, Taiwan or mainland China.
Detailed technical description of the worm as well as screenshots are available in the F-Secure Virus Description Database at
http://www.f-secure.com/v-descs/welchi.shtml
F-Secure Anti-Virus can detect and stop the Welchi worm. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com
Welchi uses the same RPC hole to infect machines, although Welchi only infects machines running Windows XP operating system. However, Welchi also tries to infect web servers running Microsoft IIS 5.0, by exploiting a WebDAV vulnerability found in March 2003.
Welchi is clearly much more advanced than the relatively simple Lovsan worm. In particular, it has three features, which make it interesting:
1) Welchi kills Lovsan.A.
As this new worm is using the same hole as Lovsan, it will obviously end up infecting machines, which are already infected by Lovsan. Welchi removes this infection.
2) Welchi installs the Microsoft RPC security patch.
After infecting a machine, the worm will try to apply the Microsoft patch to close the RPC hole. It will attempt to download the patch from Microsoft web site. As the patch is different for different localized versions of Windows, the worm will check the local language and apply a suitable patch for English, Korean, Chinese and Simplified Chinese versions of Windows.
3) Welchi dies.
This worm has a built-in expiration date. After January 1st, 2004, the worm will uninstall and remove itself from infected systems. Users can use this feature to easily remove the worm: change the date to 2004 and reboot the system. After this the date can be set back.
"So, we seem to have an anti-virus-virus here", says Mikko Hypponen, Director of Anti-Virus Research at F-Secure Corporation. "We've seen similar things before, but not to the extent of actually applying Microsoft's own patches to the system. Unfortunately Welchi is not perfect and will create some additional problems."
The Welchi virus contains these hidden texts:
I love my wife & baby :)
~~~ Welcome Chian~~~
Notice: 2004 will remove myself:)
~~ sorry zhongli~~~
QUESTIONS AND ANSWERS ON THE WELCHI WORM
Q: Is this a variant of the Lovsan worm?
A: No. It has similarities and uses the some RPC hole, but it's not a variant.
Q: How does it spread to workstations?
A: If an unprotected machine is connected to the internet, the worm will access it directly with connections to TCP port 135 and infect it remotely. The user sees nothing.
Q: How does it spread to web servers?
A: If an unpatched IIS 5.0 machine is connected to the internet, the worm will access it directly and use the WebDAV vulnerability to infect it remotely.
Q: Which Windows platforms are vulnerable?
A: Apparently only Windows XP.
Q: Does Microsoft have a patch to close the RPC hole?
A: Yes, at http://www.microsoft.com/security/incident/blast.asp
Q: Does Microsoft have a patch to close the WebDAV hole?
A: Yes, at http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
Q: Could it get behind firewalls?
A: Yes, just like Lovsan (on laptops, through external net connections made from behind the firewall). In some cases the web server might serve as a gateway to pass the infection from the public internet to intranets.
Q: What kind of emails does this worm send?
A: None. This is not an email worm. It never sends any emails.
Q: I'm running German version of Windows. Will this worm patch my machine?
A: No. It will still infect it though.
Q: Is it ok to remove this virus by changing the date momentarily to 2004?
A: Yes, it seems to work fine.
Q: Is this a good virus?
A: No.
Q: Why not?
A: For many reasons. It's unauthorised. It's not tested. It creates compatibility problems. It might crash RPC services. It creates unnecessary network traffic (lots of it). And for many other reasons. For full discussion on this, see Dr. Vesselin Bontchev's infamous paper 'Are "Good" Computer Viruses Still a Bad Idea?', available at http://www.virusbtn.com/old/OtherPapers/GoodVir/
Q: Where is this worm from?
A: Probably from South Korea, Taiwan or mainland China.
Detailed technical description of the worm as well as screenshots are available in the F-Secure Virus Description Database at
http://www.f-secure.com/v-descs/welchi.shtml
F-Secure Anti-Virus can detect and stop the Welchi worm. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com
Spotlight
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Hacking charge stations for electric cars
Posted on 15 May 2013. | Ofer Shezaf talks about what charge stations really are, why they have to be ‘smart’ and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
