1. Symantec/
  2. Security Response/
  3. W32.Welchia.Worm

W32.Welchia.Worm

Risk Level 2: Low

Discovered:
August 18, 2003
Updated:
August 11, 2017 2:01:31 PM
Type:
Worm
Infection Length:
Varies
Systems Affected:
Windows
CVE References:
CVE-2003-0109
W32.Welchia.Worm is a worm that propagates by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205) and the Microsoft Windows ntdll.dll Buffer Overflow Vulnerability (BID 7116).

This worm attempts to remove W32.Blaster.Worm (MCID 1761) and patch the system.

As of February 26, 2004, due to a decreased rate of submissions, Symantec Security Response has downgraded this threat to a Category 2 from a Category 3.

W32.Welchia.Worm is a worm that exploits multiple vulnerabilities, including:
  • The DCOM RPC vulnerability using TCP port 135. The worm specifically targets Windows XP machines using this exploit.
  • The WebDav vulnerability using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. As coded in this worm, this exploit will impact Windows 2000 systems and may impact Windows NT/XP systems.
W32.Welchia.Worm does the following:
  • Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then restart the computer
  • Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic
  • Attempts to remove W32.Blaster.Worm

Antivirus Protection Dates

  • Initial Rapid Release version August 18, 2003
  • Latest Rapid Release version August 18, 2003
  • Initial Daily Certified version August 18, 2003
  • Latest Daily Certified version August 18, 2003
  • Initial Weekly Certified release date August 20, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Frederic Perriot

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube