Updated February 12, 2004
A new variant of the Welchi worm, dubbed Welchi.b, was discovered on February 11th, 2003. Where the original Welchi worm removed the Blaster worm from infected systems, Welchi.B seeks out MyDoom infected systems and attempts to clean them. However, neither Welchi nor Welchi.B should be considered 'good' worms. In addition to the fact that they are themselves worms generating unwanted traffic, both attempt to force the installation of certain patches. Doing so can cause undesirable reboots of the affected system, in itself a form of a Denial of Service (DoS) attack. Further, according to
NAI/McAfee, Welchi.B contains a malicious payload designed for user of the Japanese version of Windows, overwriting
.shtm, .stm, .cgi, .php, .html, .htm, and .asp files in Virtual Root and IIS Help directories found on those systems.
Welchi.b exploits several patchable vulnerabilities in order to spread: The RPC/DCOM flaw first exploited by Blaster, bulletins MS03-026 and MS03-039; An unchecked buffer in a WebDav component, bulletin MS03-007; and A buffer overrun condition in the workstation service, MS03-049
As part of its infection routine, Welchi.B drops a copy of itself as SVCHOST.EXE to the %windir%\system32\drivers folder. This choice of naming may create some confusion among users who fail to realize a valid copy of SVCHOST.EXE (located in %windir%System32) also exists on the system. As in real estate, location is everything.
Like its predecessor, Welchi.B includes a self-destruct date. On June 1, 2004, the worm will uninstall itself from infected systems.
At the time of this writing, Welchi.B is not widespread.
Also see:
