A New Worm Installs Security Patches

Helsinki, Finland - August 19, 2003

F-Secure has analysed a new Windows network worm, known as Welchi or Nachi. This worm is similar to the Lovsan or Blaster worm, which has been spreading massively in the internet for the last week.

Welchi uses the same RPC hole to infect machines, although Welchi only infects machines running Windows XP operating system. However, Welchi also tries to infect web servers running Microsoft IIS 5.0, by exploiting a WebDAV vulnerability found in March 2003.

Welchi is clearly much more advanced than the relatively simple Lovsan worm. In particular, it has three features, which make it interesting:

1) Welchi kills Lovsan.A.

As this new worm is using the same hole as Lovsan, it will obviously end up infecting machines, which are already infected by Lovsan. Welchi removes this infection.

2) Welchi installs the Microsoft RPC security patch.

After infecting a machine, the worm will try to apply the Microsoft patch to close the RPC hole. It will attempt to download the patch from Microsoft web site. As the patch is different for different localized versions of Windows, the worm will check the local language and apply a suitable patch for English, Korean, Chinese and Simplified Chinese versions of Windows.

3) Welchi dies.

This worm has a built-in expiration date. After January 1st, 2004, the worm will uninstall and remove itself from infected systems. Users can use this feature to easily remove the worm: change the date to 2004 and reboot the system. After this the date can be set back.

“So, we seem to have an anti-virus-virus here”, says Mikko Hypponen, Director of Anti-Virus Research at F-Secure Corporation. “We’ve seen similar things before, but not to the extent of actually applying Microsoft’s own patches to the system. Unfortunately Welchi is not perfect and will create some additional problems.”

The Welchi virus contains these hidden texts:

  I love my wife & baby :)
  ~~~ Welcome Chian~~~
  Notice: 2004 will remove myself:)
  ~~ sorry zhongli~~~

QUESTIONS AND ANSWERS ON THE WELCHI WORM

Q: Is this a variant of the Lovsan worm?

A: No. It has similarities and uses the some RPC hole, but it’s not a variant.

Q: How does it spread to workstations?

A: If an unprotected machine is connected to the internet, the worm will access it directly with connections to TCP port 135 and infect it remotely. The user sees nothing.

Q: How does it spread to web servers?

A: If an unpatched IIS 5.0 machine is connected to the internet, the worm will access it directly and use the WebDAV vulnerability to infect it remotely. Q: Which Windows platforms are vulnerable?

A: Apparently only Windows XP.

Q: Does Microsoft have a patch to close the RPC hole?

A: Yes, at http://www.microsoft.com/security/incident/blast.asp

Q: Does Microsoft have a patch to close the WebDAV hole?

A: Yes, at http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

Q: Could it get behind firewalls?

A: Yes, just like Lovsan (on laptops, through external net connections made from behind the firewall). In some cases the web server might serve as a gateway to pass the infection from the public internet to intranets.

Q: What kind of emails does this worm send?

A: None. This is not an email worm. It never sends any emails.

Q: I’m running German version of Windows. Will this worm patch my machine?

A: No. It will still infect it though.

Q: Is it ok to remove this virus by changing the date momentarily to 2004?

A: Yes, it seems to work fine.

Q: Is this a good virus?

A: No.

Q: Why not?

A: For many reasons. It’s unauthorised. It’s not tested. It creates compatibility problems. It might crash RPC services. It creates unnecessary network traffic (lots of it). And for many other reasons. For full discussion on this, see Dr. Vesselin Bontchev’s legendary paper ‘Are "Good" Computer Viruses Still a Bad Idea?’, available at http://www.virusbtn.com/old/OtherPapers/GoodVir/

Q: Where is this worm from?

A: Probably from South Korea, Taiwan or mainland China.

Detailed technical description of the worm as well as screenshots are available in the F-Secure Virus Description Database at http://www.f-secure.com/v-descs/welchi.shtml

F-Secure Anti-Virus can detect and stop the Welchi worm. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com

F-Secure’s firewall products protected against Welchi, Lovsan and variants even before they were written. Consider using a good quality firewall on your Windows systems.

About F-Secure Corporation

F-Secure Corporation is the leading provider of centrally managed security solutions for the mobile enterprise. The company's award-winning products include antivirus, file encryption and network security solutions for major platforms from desktops to servers and from laptops to handhelds. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since November 1999. The company is headquartered in Helsinki, Finland, with the North Amercan headquarters in San Jose, California, as well as offices in Germany, Sweden, Japan and the United Kingdom and regional offices in the USA. F-Secure is supported by a network of value added resellers and distributors in over 90 countries around the globe. Through licening and distribution agreements, the company’s security applications are available for the products of the leading handheld equipment manufacturers, such as Nokia and HP.

Media queries to:

Mikko Hypponen, Director, Anti-Virus Research
F-Secure Corporation
Tel. +358 9 2520 5513
Email: Mikko.Hypponen@F-Secure.com

Media contact in the USA:
F-Secure Inc.
Heather Deem,
675 N. First Street, 5th Floor
San Jose, CA 95112
Tel +1 408 350 2178
Fax +1 408 938 6701
Email Heather.Deem@F-Secure.com