*Exploits the DCOM RPC vulnerability released in July 2003 (described in Microsoft Security Bulletin MS03-026), using TCP port 135 and specifically targets Windows XP and windows 2000 machines.
*Exploits the WebDav vulnerability released in March 2003 (described in Microsoft Security Bulletin MS03-007) using TCP port 80 and specifically targets machines running Microsoft IIS 5.0
Once infected, the worm will try to download the DCOM RPC patch from Microsoft's Windows Update.com site, installs it and then reboot the computer.
Then the worm will check for for active machines to infect it by sending an ICMP echo or ping which consequently causes in increased ICMP traffic. The worm will also try to remove the W32.Blaster worm on infected machine.
1.2 Propagation
The worm propagates through auto scanning to TCP port 135 (DCOM RPC) and using TCP port 80 (WebDav).
1.3 System Affected
Systems that are vulnerable to this worm are unpatched machines running on:
1.4 Aliases
W32/Welchia.worm (Symantec)
W32/Nachi.worm (McAfee)
Welchi (F-Secure)
1.5 Payload
1.5.1 The worm will delete msblast.exe file on infected machine.
1.5.2 Causes system instability on vulnerable Windows 2000 machines due to the RPC service crash.
1.5.3 Performs ping which consequently causes in increased ICMP traffic.
1.5.4 Mutates through registry
1.5.5 Auto scans to port 135 and port 80.
1.5.6 Opens port 707/TCP and installs TFTP server on all infected machines to download a patch to clean up Blaster worm and reboots.
2.0 Possible Steps
2.1 Prevention
2.1.1 Network Filtering
Sites are encouraged to block incoming and outgoing traffic via port 135/TCP and port 707/TCP at network gateways. Sites are also recommended to block incoming and outgoing ICMP traffic at routers except for hosts that require those services.
2.1.2 System/Host
It is strongly recommended that all machines are recommended to be patched with the DCOM RPC patch (MS03-026) and WebDav patch (MS03-007) to prevent propagation of the worm.
2.2 Detection
You may scan your machine with an updated Anti-virus software to detect the presence of the worm. List of anti-virus vendors ia available at:
http://www.mycert.org.my/en/resources/malware/av_sites/main/detail/528/index.html
Signs of infected host within the network includes increase icmp traffic with the following crafted ping:
19:00:07.489820 xxx.xxx.xxx.185 > yyy.yyy.yyy.119: icmp: echo request
0000: 4500 005c 7398 0000 6d01 fd29 d3ef d9b9 E..\s...m.)
0010: cabe 6477 0800 e8a1 0200 b808 aaaa aaaa dw.....
0020: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0030: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0040: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0050: aaaa aaaa aaaa aaaa aaaa aaaa
2.3 Removal and Recovery
There are two ways of removal which is using automatic removal tool or manual removal. Regardless which option is chosen, the host must be patched to avoid reinfection. Below are the recommended procedures:
2.3.1 Automatic Removal Tool
2.3.1.1 Disconnect the infected machine from the network
2.3.1.2 Apply the latest Service Packs. NOTE: The patches cannot be installed without the latest service packs.
* For Windows 2000 apply SP4
* For Windows XP apply SP1
2.3.1.3 Apply the DCOM RPC and WebDav patches
The DCOM RPC patch can be downloaded at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
The WebDav patch can be downloaded at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp
2.3.1.4 You may download a Automatic Removal tool provided by the following ANti-virus vendors which detects and removes the worm.
Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
McAfee
http://vil.nai.com/vil/stinger/
Trend Micro
http://www.trendmicro.com/download/tsc.asp
F-Secure
ftp://ftp.f-secure.com/anti-virus/tools/f-lovsan.zip
2.3.2 Manual Removal
2.3.2.1 Disconnect the infected machine from the network
2.3.2.2 Apply the latest Service Packs.
* For Windows 2000 apply SP4
* For Windows XP apply SP1
2.3.2.3 Apply the DCOM RPC and WebDav patches
The DCOM RPC patch can be downloaded at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
The WebDav patch can be downloaded at:
http://www.microsoft.com/technet/treeview/default.asp?url=technet/security/bulletin/MS03-007.asp
2.3.2.4 Terminate the following services
* WINS Client
* Network Connections Sharing
2.3.2.5 Delete the DLLHOST.EXE and SVCHOST.EXE files from the WINS directory
with your WINDOWS SYSTEM32 directory, ie, c:\winnt\system32\wins\svchost.exe
OR you may terminate the process in your computer by tapping CTRL-ALT-DEL
and clicking Task Manager.
NOTE: The difference between a legitimate file and the illegitimate file is in the file size.
The files dropped by the worm will have the following sizes:
DLLHOST.EXE 10KB
SVCHOST.EXE 20 KB
Legitimate files will have size less than the above size.
2.2.2.6 Edit the registry to:
* Delete the "RpcPatch" key from:
# HKEY_LOCAl_MACHINES\SYSTEM\Current\ControlSet\Services
* Delete the "RpcTftpd" key fro:
# HKEY_LOCAL_MACHINES\SYSTEM\Current\ControlSet\Services
3.0 More Information
More information on this worm can be obtained from the following sites:
