Aliases: W32/Nachi.worm.b, W32/Nachi-B, Win32.Nachi.B, WORM_NACHI.B, Net-Worm.Win32.Welchia.b
Variants: Worm.Win32.Welchia.b, W32/Nachi.worm.c, W32.Welchia.B.Worm, Win32.HLLW.LoveSan.4, W32/Nachi-C

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 11 Feb 2004
Damage: Low

Characteristics: The W32.Welchia.B.Worm application attempts to download DCOM RPC patch from Microsoft Windows Update Website. When installed and then rebooted the computer, it checks for active devices to infect by sending a PING or ICMP echo request that results in increased ICMP traffic. This worm as well attempts to eliminate W32.Blaster.Worm.

More details about W32.Welchia.B.Worm

The worm spreads itself via the Internet using an exploit in Microsoft Windows called the DCOM RPC vulnerability. It a swell infiltrates PCs through the vulnerability of WebDav. The worm installs and copies in the Windows System folder as dllhost.exe. It creates names and service it WINS Client. W32.Welchia.B.Worm is copies a file from the dllcache folder particularly tftpd.exe process as svchost.exe. This security threat also creates Network Connections Sharing where in it allows the W32.Welchia.B.Worm to take control over your system and executes itself every time the computer reboots. This worm is likewise claimed to erase msblast.exe process from the hard drive. It performs a scan of registries and searches for service patches and packs installed in the computer. If the DCOM RPC is not present, the worm will start downloading it.

The W32.Welchia.B.Worm software can infect machines running on Win32 operating systems. They are typically spread by mass e-mails. Users are commonly tricked into thinking the attached file is harmless. It may be labeled as an e-card or software patch. Other malware programs can also download and install the backdoor software. Users may unknowingly download them from freeware and shareware websites and peer-to-peer (P2P) file sharing networks. The W32.Welchia.B.Worm program creates a backdoor in the system. This is used to connect to a remote server. It is also used to receive information and files. The backdoor is made up of a previously unused system port. It is unmonitored as the system may be unaware that it has been opened. An increase in Internet activity may be detected without knowing the source.