W32.Welchia.Worm ; The friendly worm

Posted on Monday, August 18 2003 @ 14:05 CEST by Thomas De Maesschalck
I have just read this over at W2S that there is a new worm out in the wild, but nothing to worry about this time. Welchia exploits the same vulnerability in Windows as the Blaster worm which caused a lot of trouble last week. Special is that the Welchia worm attempts to download the DCOM RPC patch from the Windows update site, and also tries to remove the Blaster virus from your PC.
W32.Welchia.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.

The worm will also attempt remove W32.Blaster.Worm.
Like you can see, not all virus writers are evil. This new 'friendly' worm is also known under the name W32/Nachi.worm

More info at Symantec

UPDATE : GCN also has an interesting article about the Welchia Worm, you can find it here.
“Welchia masquerades as a ‘good worm,’ patching against the vulnerability,” he said. “In reality, it opens TCP port 707 for an attacker to remotely control the computer.”

Welchia appears to be programmed to remove itself from an infected computer in 2004. It creates the files DLLHOST.EXE and SVCHOST.EXE in the WINNTSYSTEM32WINS directory and opens port 707 on the infected computer. Monitoring TCP ports 707 and 135, which MSBlaster uses, could help identify the presence of malicious code, Dunham said.

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.

Loading Comments

Use Disqus to post new comments, the old comments are listed below.

Re: W32.Welchia.Worm ; The friendly worm
by Anonymous on Monday, August 18 2003 @ 17:23 CEST
It was evil on our network. It created an ICMP storm worst than blaster.

  • Reply by Anonymous on Monday, August 18 2003 @ 22:42 CEST

    That friendly worm of yours replicated itself multiple times on our network and started eating up bandwidth and processor time. It was a bugger to remove too.

  • Reply by Anonymous on Monday, August 18 2003 @ 23:54 CEST

    At my work, the main servers were infected, flooding the network with traffic to the minor server spread across the state. More than evil...it's a righteous mongrel.

  • Reply by Anonymous on Tuesday, August 19 2003 @ 1:14 CEST


    LOADS of ARP and ICMP. Brought our network to a crawl.

    • Reply by Anonymous on Thursday, January 29 2004 @ 17:46 CET

Re: W32.Welchia.Worm ; The friendly worm
by Anonymous on Tuesday, August 19 2003 @ 1:19 CEST
Consider yourself lucky that it didn't carry a payload. IT simple cleans up where admins left off. IF you got flooded then you must have had a vulnerability on your network and thanks to Welchia it has been plugged. You can run the MS utility on your network (private I hope) to check if your systems are now patched. It's called DCOM-KB826369-X86-ENU.exe. Run this utility with the /24 to make sure you cover the entire range for your organization.


Re: W32.Welchia.Worm ; The friendly worm
by Anonymous on Tuesday, August 19 2003 @ 2:37 CEST
wel they all seems to be networks as for my ive had alot of trouble with blaster resulting in risntalling windows 3 times in the past week and everytim ethe fixblast found and installed patch thought t was gameover but no more trouble came my way , so this tim ei was surprised to see it didnt happen ??? did a full scan with nortn nuthin, did a scan with bit defender and it found the *friendly* worm and i removed it has actulay saved me alot of trouble

Re: W32.Welchia.Worm ; The friendly worm
by Anonymous on Tuesday, August 19 2003 @ 22:21 CEST
Friendly, Right!! This virus hit my network today. The network has been down all day long and we are still trying to track down the infected computers. The source address is being spoofed. I have not read any reports of this happening, but we are seeing this!!

Re: W32.Welchia.Worm ; The friendly worm
by Thomas De Maesschalck (lsdsmurf@dvhardware.net) on Wednesday, August 20 2003 @ 6:48 CEST
I'm sorry but when I was posting this newspost I only knew that it destroyed the Blaster virus from pc's, so that primary it had good intentions with the pc's of his victims.

On networks there seem to be a lot of problems with the Welchia virus though.

According to Symantec a lot of big companies are hit, and are facing almost as much problems as with the Blaster worm.

  • Reply by Anonymous on Thursday, August 21 2003 @ 14:35 CEST

    mmm nice an RE worm virus lol
    all of this viros stiped BCOZ PPL cen the patch that block this problrm befor more then 9weaks sow it only hit ppl that r STIPEDLY dont dwonload the win updates
    i think that the hackers r dooing good jobs white becoz thay make the ppl get the latest update
    sow i say FUc|< the ppl that dont got the update and gj hackers
    na i not gona say it

    and fuc|< u all that replay abote my spell mastaks becoz THER IS MORE after ENGLISH sow ***** U ALL! (if u replay abote it u r TOTLAY DICK HEAD sow think befor u replay abote it, but u r free 2 replay abote what i saied in the start)