How to delete Win32.Worm.Welchia.B - Removal tool, fix, repair

Name: Win32.Worm.Welchia.B

Aliases: W32/Nachi.Worm.b, W32.Welchia.B.Worm, WORM_NACHI.B, Welchi.B,

Type: Executable Backdoor Worm

Size: 12800 bytes

First appeared on: 12.02.2004

Damage: Low

Brief Description: Win32.Worm.Welchia.B is a worm that affects Windows 2003/XP/2000/NT computers only. Win32.Worm.Welchia.B exploits the vulnerabilities Buffer Overrun in RPC Interface, WebDAV and Workstation Service Buffer Overrun in order to spread to as many computers as possible.

Win32.Worm.Welchia.B spreads by attacking remote computers and exploits the vulnerabilities mentioned above to download a copy of itself to the compromised computer. In order to do this, Win32.Worm.Welchia.B incorporates its own web server.

Win32.Worm.Welchia.B uninstalls the worms Mydoom.A and Mydoom.B, by ending their processes and deleting the files carrying the worms.

If you have a Windows 2003/XP/2000/NT computer, it is highly recommendable to download the security patches from the Microsoft website for the following vulnerabilities: Buffer Overrun in RPC Interface, WebDAV and Workstation Service Buffer Overrun.

Visible Symptoms: The following file: (%SYSDIR% is the Windows System directory) %SYSDIR%\Drivers\SVCHOST.EXE

High activity on ports 135 (RPC), 80 (HTTP) and 445 (SMB over TCP).

Win32.Worm.Welchia.B is difficult to recognize, as it does not show any messages or warnings that indicate it has reached the computer.

Technical description: The worm comes by exploiting one of the following:
  1. DCOM RPC vulnerability described in MS03-026 bulletin
  2. WebDav vulnerability described in MS03-007 bulletin
  3. Workstation Service vulnerability described in MS03-049 bulletin
When infecting a machine, it copies to the following location:
%SYSDIR%\Drivers\SVCHOST.EXE
and creates the service called WksPatch so as to run each time Windows starts.

To infect othe machines, it generates random IP addresses and sends packets on ports 135, 80 and 445 to exploit vulnerable targets (see above).

It tries to remove the Mydoom worm as well as the former version of Welchia: Win32.Worm.Welchia.A, and downloads and applies the patches KB828035 and KB828749 from the Microsoft's website.

Overwrites some HTML files with the following content:

LET HISTORY TELL FUTURE !

1931.9.18

1937.7.7

1937.12.13 300,000 !

1941.12.7

1945.8.6 Little boy

1945.8.9 Fatso

1945.8.15

Let history tell future !

The worm will remove itself after June 2004.

Propagation: Win32.Worm.Welchia.B spreads by attacking remote computers. Win32.Worm.Welchia.B attempts to exploit the Buffer Overrun in RPC Interface, WebDAV and Workstation Service Buffer Overrun vulnerabilities in those computers. If successful, it downloads a copy of itself to the attacked computer. Win32.Worm.Welchia.B incorporates its own web server.

Removal instructions: Not available

Removal tool:
Download Removal Tool from BitDefender's website
Download Removal Tool from F-Secure
Download Removal Tool from Sophos