North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Welchia Virus - it is real and hard to detect.......

  • From: Christopher Bird
  • Date: Tue Aug 26 17:25:26 2003

I hope the nanog mail list is an OK place to warn of this..........

As part of my clean up for clients who have had Blaster, I came across a
variant, sometimes called Blaster D. Its other name is welchia.

It seems to do the following:

Gets the Microsoft patch for regular blaster. Installs a file called
dllhost.exe in the C:\Windows\System32\Wins directory. Btw there is a
smaller dllhost.exe file in one of the other system directories.

It also copies the tftp server from one of the other windows locations. 

They are both started by a startup service.

When connection is made to the internet, dllhost and the tftp server
start their dirty work.

The tftp server appears to be the mechanism by which the virus
propagates. The dllhost sends out a firestorm of requests (on various
ports) to try to find other victims.

This afternoon I patched a system and installed a personal firewall - in
the space of about 20 minutes there were 207 attacks some using ICMP
class 8, others simply using uDP against ports 135, 137 and 139.

This was all on a computer that had the Microsoft patches for Blaster
applied. I think it gets in prior to the blaster patch application and
then is not detected by the blaster removal and Microsoft fix.

Rather than go into all the gory details, I suggest that interested
parties go hunting for it at their usual anti-v places.

Chris Bird