The Welchia worm (also known as Nachi) is a Nematode or friendly worm that deletes Blaster and patches the vulnerabilities that made Blaster possible. While Welchia often came to the aid of users suffering from the Blaster Worm, it tended to slow computers down while it carried out its non-malevolent intentions, and was a bit of a nuisance for those who had already got Blaster removed from their PCs.
A machine that Welchia is about to infect will receive a ICMP echo request, or PING, which is the worm checking if it has a valid IP address. The worm on the infecting computer will send exploit code to the target computer in one of two ways. It may exploit the DCOM RPC vulnerability (the one that Blaster used to spread) will send its exploit code through port 135.
If the machine is running IIS, it may exploit a vulnerability in WebDav, in which case it will send its code through port 80. It creates a remote shell which connects to the attacking machine on any random port between 666 and 765 that listens for instructions from the worm on the attacking computer. In most cases, it is port 707. It then instructs the target to download the worm via TFTP to the system folder subdirectory "Wins" as dllhost.exe and execute it.
Welchia checks if the file tftpd.exe exists in the system folder subdirectory "dllcache". If it does not, it will download that file also as svchost.exe to Wins. This is to make sure that there is a TFTP server to send a copy of itself to a new computer.
Welchia ends the msblast process and deletes the file msblast.exe. It checks the registry to see if the patch for the DCOM RPC vulnerability has been installed. If not, it will download and install them. When the patch has been successfully installed, Welchia will reboot the computer, which completes the installation.
The worm begins spreading to other systems by selecting IP addresses. It will base the IP addresses on that of the current system, taking the first two numbers and generating the last two by counting from 0 to 255. It sends an ICMP echo request, or PING to each of them, and begins the expoiting procedure if it receives a response.
Welchia deletes itself whenever the year changes to 2004 or if it was left in the system for more than 120 days.
Welchia infected the intranet of the Navy Marine Corps and consumed three quarters of its capacity, rendering it useless for some time. No specific number of infected systems was given.
The worm also infected the network of the State Department, causing the department to shut down the network for nine hours. While no classified files were compromised, the "Consular Check System", used for performing background checks on foreigners seeking visas, was affected. This caused a nine hour delay in processing and issuing visas.
Welchia was likely named by antivirus companies for the "Welcome Chian text found in the worm body. It is also called Nachi or may be considered the variant Blaster.D.
- ClamAV: Worm.Blaster.D
- Doctor Web: Win32.HLLW.LoveSan.2
- Kaspersky: Net-Worm.Win32.Welchia.a
- McAfee: W32/Nachi.worm.a
- Sophos: W32/Nachi-A
- Symantec: W32.Welchia.Worm
- Trend Micro: WORM_NACHI.A
Welchia is described by some Antivirus Vendors as a variant of Blaster. Welchia.B deletes Mydoom.A. It also displays a message that says "LET HISTORY TELL FUTURE !" and makes a reference to the atomic bombings of Japan.
The worm contains the following text strings:
I love my wife & baby :-) Welcome Chian Notice: 2004 will remove myself:-) sorry zhongli
While Welchia deletes Blaster and even itself after a certain amount of time, some security experts described it as being a case in which the cure is worse than the disease. They cite the worm's resource consumption, the unexpected shutdown and the fact that it comes from an unknown source and say that it is therefore untrustworthy.
Beneficial viruses and worms have long been contraversial. SecurityFocus has given these worms the name "Nematode", after a species of worm that kills garden pests. Vesselin Bontchev concluded in a 1994 paper that they are possible and finds such uses for them in areas such as anti–virus, file compression, disk encryption, and system maintenance. In fact, the Xerox PARC worms of 1979 were to be an example of a worm intended to be used for benificial purposes.
Welchia was also not the first or last self-replicator to delete another self-replicator. This goes back to the very first worms, circa 1970, Creeper, which became the target of Reaper. Denzuko, created in the late 1980's, targeted Brain, the first IBM PC virus. Some variants of the Netsky and Sasser worms attack Beagle and Mydoom. Gigabyte's YahaSux attacks the Yaha worm.
Frederic Perriot, Douglas Knowles. Symantec Antivirus, W32.Welchia.Worm.
Sophos Antivirus, W32/Nachi-A.
Ellen Messmer. NetworkWorld, "Navy Marine Corps Intranet hit by Welchia worm". 2003.08.19.
Elise Labott. CNN, "'Welchia worm' hits U.S. State Dept. network". 2003.09.24
Security Focus. The Register, Good worms back on the agenda. 2006.01.30
Vesselin Bontchev. Virus Test Center, University of Hamburg, Are "Good" Computer Viruses Still a Bad Idea?. 1994
Fridrik Skulason. Virus Bulletin, The Search for Den Zuk. 1991.02
Yui Kee Computing, Fools Rush In: W32/Welchia a Practical Demonstration in Stupidity. 2003.08.19
John Leyden. The Register, Nachi variant wipes MyDoom from PCs. 2004.02.12