Discovered: February 15, 2004
Updated: February 13, 2007 12:17:27 PM
Also Known As: WORM_NACHI.C [Trend], W32/Nachi.worm.c [McAfee], W32/Nachi-C [Sophos], Win32.Nachi.C [Computer Associ, Worm.Win32.Welchia.c [Kaspersk
Type: Worm
Systems Affected: Windows 2000, Windows XP
W32.Welchia.C.Worm is a minor variation of, and functionally equivalent to
W32.Welchia.B.Worm.
If the version of the operating system of the infected machine is Chinese, Korean, or English, the worm will attempt to download the
Microsoft Workstation Service Buffer Overrun and
Microsoft Messenger Service Buffer Overrun patches from the Microsoft® Windows Update Web site, install it, and then restart the computer.
The worm also attempts to remove
W32.Mydoom.A@mm and
W32.Mydoom.B@mm worms.
W32.Welchia.C.Worm exploits multiple vulnerabilities, including:
The presence of the file, %Windir%\system32\drivers\svchost.exe, is an indication of a possible infection.
This threat is compressed with UPX.
Protection
-
Initial Rapid Release version February 17, 2004
-
Latest Rapid Release version February 17, 2004
-
Initial Daily Certified version February 17, 2004
-
Latest Daily Certified version February 17, 2004
-
Initial Weekly Certified release date February 18, 2004
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
-
Wild Level: Low
-
Number of Infections: 0 - 49
-
Number of Sites: 0 - 2
-
Geographical Distribution: Low
-
Threat Containment: Easy
-
Removal: Moderate
Damage
Distribution
-
Distribution Level: Medium
Writeup By: John McDonald
