Welchia - The Anti-Virus Virus?
19 Aug 2003
Kaspersky Lab, the leading information security expert warns users about a new Internet worm Welchia. Welchia seeks out computers infected by Lovesan (Blaster), disinfects them and installs the Windows patch. Experts at Kaspersky Lab have registered multiple instances of infections by this malware.
Welchia belongs to the family of viruses that attack other malware, fighting for control of the system. The most famous worm of this group appeared in September 2001: the CodeBlue
worm which scanned the Internet for machines infected by CodeRed worm and disinfected them.
Welchia breaches computers using the same DCOM RPC vulnerability that Lovesan
used. However, Welchia also uses the WebDAV
vulnerability in the IIS 5.0 (a Windows web-server component). The worm scans for active machines and attacks via ports 135 (DCOM vulnerability) and 80 (WebDAV vulnerability). Once victim machines have been identified, the worm proceeds to download the carrier-file and register itself as DLLHOST.EXE in the WINS subfolder in the Windows system folder (%System%\WINS\Dllhost.exe), creating an automatic service - WINS Client.
After installation, the worm sets out to remove Lovesan. Welchia scans for the MSBLAST.EXE process, ends the process and deletes the MSBLAST.EXE file. Welchia then scans the Windows system registry and looks for installed patches. If the patch for the DCOM RPC vulnerability has not been installed, Welchia will initiate the downloading process. Once the patch is successfully downloaded and executed, the worm re-boots the computer to complete installation.
Welchia has already spread around the world and should probably decrease Lovesan infections in about a week's time. Nevertheless, it is important to stress that there are no good viruses. "Even seemingly useful and harmless viruses will never replace anti-virus software", said Denis Zenkin, Head of Corporate Communications at Kaspersky Lab, "The passivity displayed by many users during the Lovesan epidemic caused the Internet to overload and seems to have inspired someone to create Welchia. It would be a shame if such user passivity turns the Internet into a battleground for competing viruses".
Security measures against Welchia have already been added to the Kaspersky® Anti-Virus databases. Detailed information about Welchia is available in the Kaspersky Virus Encyclopedia