W32.Welchia.Worm is a worm that exploits multiple vulnerabilities, including:
- The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.
- The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. IIS 5.0 will most likely be found on Windows 2000 systems.
W32.Welchia.Worm does the following:
- Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.
- Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic.
- Attempts to remove W32.Blaster.Worm.
The W32.Welchia.Worm Removal Tool does the following:
- Terminates the W32.Welchia.Worm viral processes.
- Deletes the W32.Welchia.Worm files.
- Deletes the registry values that W32.Welchia.Worm added.
- Deletes the services created by W32.Welchia.Worm.
Note: You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP.
If you are running Windows Me or XP, then disable System Restore. Refer to the "System Restore option in Windows Me/XP" section later in this writeup for further details.
If you are running Windows Me/XP, we strongly recommend that you do not skip this step.
- Double-click the FixWelch.exe file to start the removal tool.
- Click Start to begin the process, and then allow the tool to run.
- Restart the computer.
- Run the removal tool again to ensure that the system is clean.
- If you are running Windows Me/XP, then re-enable System Restore.
Note: The removal procedure may not be successful if Windows Me/XP System Restore is not disabled as previously directed, because Windows prevents System Restore from being modified by outside programs.
When the tool has finished running, you will see a message indicating whether W32.Welchia.Worm infected the computer.