New Worm Installs Security Patches

F-Secure has analysed a new Windows network worm, known as Welchi or Nachi. This worm is similar to the Lovsan or Blaster worm, which has been spreading massively in the internet for the last week.

Welchi uses the same RPC hole to infect machines, although Welchi only infects machines running Windows XP operating system. However, Welchi also tries to infect web servers running Microsoft IIS 5.0, by exploiting a WebDAV vulnerability found in March 2003.

Welchi is clearly much more advanced than the relatively simple Lovsan worm. In particular, it has three features, which make it interesting:

1) Welchi kills Lovsan.A.

As this new worm is using the same hole as Lovsan, it will obviously end up infecting machines, which are already infected by Lovsan. Welchi removes this infection.

2) Welchi installs the Microsoft RPC security patch.

After infecting a machine, the worm will try to apply the Microsoft patch to close the RPC hole. It will attempt to download the patch from Microsoft web site. As the patch is different for different localized versions of Windows, the worm will check the local language and apply a suitable patch for English, Korean, Chinese and Simplified Chinese versions of Windows.

3) Welchi dies.

This worm has a built-in expiration date. After January 1st, 2004, the worm will uninstall and remove itself from infected systems. Users can use this feature to easily remove the worm: change the date to 2004 and reboot the system. After this the date can be set back.

“So, we seem to have an anti-virus-virus here”, says Mikko Hypponen, Director of Anti-Virus Research at F-Secure Corporation. “We’ve seen similar things before, but not to the extent of actually applying Microsoft’s own patches to the system. Unfortunately Welchi is not perfect and will create some additional problems.”

The Welchi virus contains these hidden texts:

I love my wife & baby 🙂
~~~ Welcome Chian~~~
Notice: 2004 will remove myself:)
~~ sorry zhongli~~~

QUESTIONS AND ANSWERS ON THE WELCHI WORM

Q: Is this a variant of the Lovsan worm?
A: No. It has similarities and uses the some RPC hole, but it’s not a variant.

Q: How does it spread to workstations?
A: If an unprotected machine is connected to the internet, the worm will access it directly with connections to TCP port 135 and infect it remotely. The user sees nothing.

Q: How does it spread to web servers?
A: If an unpatched IIS 5.0 machine is connected to the internet, the worm will access it directly and use the WebDAV vulnerability to infect it remotely.

Q: Which Windows platforms are vulnerable?
A: Apparently only Windows XP.

Q: Does Microsoft have a patch to close the RPC hole?
A: Yes, at

Q: Does Microsoft have a patch to close the WebDAV hole?
A: Yes, at

Q: Could it get behind firewalls?

A: Yes, just like Lovsan (on laptops, through external net connections made from behind the firewall). In some cases the web server might serve as a gateway to pass the infection from the public internet to intranets.

Q: What kind of emails does this worm send?
A: None. This is not an email worm. It never sends any emails.

Q: I’m running German version of Windows. Will this worm patch my machine?
A: No. It will still infect it though.

Q: Is it ok to remove this virus by changing the date momentarily to 2004?
A: Yes, it seems to work fine.

Q: Is this a good virus?
A: No.

Q: Why not?
A: For many reasons. It’s unauthorised. It’s not tested. It creates compatibility problems. It might crash RPC services. It creates unnecessary network traffic (lots of it). And for many other reasons. For full discussion on this, see Dr. Vesselin Bontchev’s infamous paper ‘Are “Good” Computer Viruses Still a Bad Idea?’, available at

Q: Where is this worm from?
A: Probably from South Korea, Taiwan or mainland China.

Detailed technical description of the worm as well as screenshots are available in the F-Secure Virus Description Database at
http://www.f-secure.com/v-descs/welchi.shtml

F-Secure Anti-Virus can detect and stop the Welchi worm. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com

Don't miss