What is Welchia or MSBLAST.D worm?

The Welchia worm, also known as the "Nachia worm," is a computer worm that exploits a vulnerability in the Microsoft Remote procedure. It infects machines via network connections. It can attack entire networks of computers or one single computer connected to the Internet. Similar to the original MSBlast worm it exploits a known windows vulnerability that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and Windows XP machines and exploits the DCOM RPC Vulnerablity. It uses TFTP (Trivial File Transfer Protocol) to download its files into a system. It also exploits one more vulnerability known as the WebDAV exploit to travel from system to system.

Welchia worm Copies itself to the Wins directory in the System or System32 folder in Windows, Makes a copy of the TFTP server (TFTPD.exe) from the Dllcache directory, Creates some services RpcTftpd and RpcPatch, Ends the process, MSBLAST, and delete the file %System%\msblast.exe which is dropped by the worm, MSBlast.A. First, it checks the operating system version, then it downloads the appropriate patch from the designated Microsoft Web site. After executing the patch, it reboots the system, downloaded patch file name, RpcServicePack.exe. This worm deletes this file after it is run.

To Remove the Welchia or MSBLAST.D worm

1) Disconnect your computer from the local area network or Internet

2) Terminate the running program

* Open a command prompt window. Click Start>Run, type CMD and then press the Enter key.
* At the command prompt, type the following:
NET STOP "Network Connections Sharing"
* Press the Enter key. A message should indicate that the service has been stopped successfully.
* Do the same to stop the following service:
NET STOP "WINS Client"
* Close the command prompt window.

3) Remove the Registry Entries

* Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
* In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>
* In the left panel, delete the subkeys:
RpcPatch
RpcTftpd
* Close Registry Editor.

3) Install the patches for the DCOM RPC Exploit or WebDAV exploit, you can download the patches from the links below before disconnecting

DCOM RPC Exploit

Windows XP Pro/Home Edition

Windows 2000

WebDAV Exploit

Windows XP

Windows 2000

4) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)

* Click Start, point to Find or Search, and then click Files or Folders.
* Make sure that "Look in" is set to (C:\WINDOWS).
* In the "Named" or "Search for..." box, type, or copy and paste, the file names:
svchost.exe
dllhost.exe
* Click Find Now or Search Now.
* Delete the svchost.exe file in the c:\windows\system32\wins directory
Delete the dllhost.exe file in the c:\windows\system32\wins directory
* Empty the Recycle bin.

5) Reboot the computer, reconnect the network, and update your antivirus software, and run a thorough virus scan using your favorite antivirus program.