Welchia

Last updated

The Welchia worm, also known as the "Nachi worm", is a computer worm that exploits a vulnerability in the Microsoft remote procedure call (RPC) service similar to the Blaster worm. However, unlike Blaster, it first searches for and deletes Blaster if it exists, then tries to download and install security patches from Microsoft that would prevent further infection by Blaster, so it is classified as a helpful worm. Welchia was successful in deleting Blaster, but Microsoft claimed that it was not always successful in applying their security patch. [1]

Computer worm standalone malware computer program that replicates itself in order to spread to other computers

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

Microsoft U.S.-headquartered technology company

Microsoft Corporation (MS) is an American multinational technology company with headquarters in Redmond, Washington. It develops, manufactures, licenses, supports and sells computer software, consumer electronics, personal computers, and related services. Its best known software products are the Microsoft Windows line of operating systems, the Microsoft Office suite, and the Internet Explorer and Edge web browsers. Its flagship hardware products are the Xbox video game consoles and the Microsoft Surface lineup of touchscreen personal computers. As of 2016, it is the world's largest software maker by revenue, and one of the world's most valuable companies. The word "Microsoft" is a portmanteau of "microcomputer" and "software". Microsoft is ranked No. 30 in the 2018 Fortune 500 rankings of the largest United States corporations by total revenue.

In distributed computing, a remote procedure call (RPC) is when a computer program causes a procedure (subroutine) to execute in a different address space, which is coded as if it was a normal (local) procedure call, without the programmer explicitly coding the details for the remote interaction. That is, the programmer writes essentially the same code whether the subroutine is local to the executing program, or remote. This is a form of client–server interaction, typically implemented via a request–response message-passing system. In the object-oriented programming paradigm, RPC calls are represented by remote method invocation (RMI). The RPC model implies a level of location transparency, namely that calling procedures is largely the same whether it is local or remote, but usually they are not identical, so local calls can be distinguished from remote calls. Remote calls are usually orders of magnitude slower and less reliable than local calls, so distinguishing them is important.

Contents

This worm infected systems by exploiting vulnerabilities in Microsoft Windows system code (TFTPD.EXE and TCP on ports 666–765, and a buffer overflow of the RPC on port 135). Its method of infection is to create a remote shell and instruct the system to download the worm using TFTP.EXE. Specifically, the Welchia worm targeted machines running Windows XP. The worm used ICMP, and in some instances flooded networks with enough ICMP traffic to cause problems. [2]

Trivial File Transfer Protocol (TFTP) is a simple lockstep File Transfer Protocol which allows a client to get a file from or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a local area network. TFTP has been used for this application because it is very simple to implement.

The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating, for example, that a requested service is not available or that a host or router could not be reached. ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications.

Once on the system, the worm patches the vulnerability it used to gain access (thereby actually securing the system against other attempts to exploit the same method of intrusion) and run its payload, a series of Microsoft patches. It then attempts to remove the Blaster Worm by deleting MSBLAST.EXE. If still in the system, the worm is programmed to self-remove on January 1, 2004, or after 120 days of processing, whichever comes first.

Blaster (computer worm) computer worm

Blaster Worm was a computer worm that spread on computers running operating systems Windows XP and Windows 2000 during August of 2003.

In September 2003, the worm was discovered on the US State Department's computer network, causing them to shut down their network for 9 hours for remediation. [3]

See also

Related Research Articles

Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network. Malware does the damage after it is implanted or introduced in some way into a target's computer and can take the form of executable code, scripts, active content, and other software. The code is described as computer viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware, among other terms. Malware has a malicious intent, acting against the interest of the computer user—and so does not include software that causes unintentional harm due to some deficiency, which is typically described as a software bug.

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Sasser is a computer worm that affects computers running vulnerable versions of the Microsoft operating systems Windows XP and Windows 2000. Sasser spreads by exploiting the system through a vulnerable port. Thus it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured firewall or by downloading system updates from Windows Update. The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin, for which a patch had been released seventeen days earlier.

In computing, Download.ject is a malware program for Microsoft Windows servers. When installed on an insecure website running on Microsoft Internet Information Services (IIS), it appends malicious JavaScript to all pages served by the site.

Agobot, also frequently known as Gaobot, is a family of computer worms. Axel "Ago" Gembe, a German programmer also known for leaking Half-Life 2 a year before release, was responsible for writing the first version. The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the GNU General Public License. Agobot is a multi-threaded and mostly object oriented program written in C++ as well as a small amount of assembly. Agobot is an example of a Botnet that requires little or no programming knowledge to use.

Bolgimo is a Win32 computer worm, a self-replicating computer program similar to a computer virus, which propogates by attempting to exploit unpatched Windows computers vulnerable to the DCOM RPC Interface Buffer Overrun Vulnerability using TCP port 445 on a network. The worm was discovered on November 10, 2003 and targets Windows NT, 2000 and XP Operating Systems.

Anti-worm is a computer worm designed to do something that its author feels is helpful, though not necessarily with the permission of the executing computer's owner.

Patch Tuesday is an unofficial term used to refer to when Microsoft regularly releases security patches for its software products. It is widely referred to in this way by the industry. Microsoft formalized Patch Tuesday in October 2003.

Upering is a mass-mailing computer worm. It was isolated in Tacoma, Washington, in the United States, from several submissions from America Online members. As of late 2005, it is listed on the WildList, and has been since 2003.

The Windows Metafile vulnerability—also called the Metafile Image Code Execution and abbreviated MICE—is a security vulnerability in the way some versions of the Microsoft Windows operating system handled images in the Windows Metafile format. It permits arbitrary code to be executed on affected computers without the permission of their users. It was discovered on December 27, 2005, and the first reports of affected computers were announced within 24 hours. Microsoft released a high-priority update to eliminate this vulnerability via Windows Update on January 5, 2006. Attacks using this vulnerability are known as WMF exploits.

William Genovese is a former greyhat hacker turned security professional, who goes by the alias illwill.

Criticism of Windows XP deals with issues with security, performance and the presence of product activation errors that are specific to the Microsoft operating system Windows XP.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

Storm Worm

The Storm Worm is a backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

Conficker computer worm

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

EternalBlue, sometimes stylized as ETERNALBLUE, is an exploit developed by the U.S. National Security Agency (NSA) according to testimony by former NSA employees. It was leaked by the Shadow Brokers hacker group on April 14, 2017, and was used as part of the worldwide WannaCry ransomware attack on May 12, 2017. The exploit was also used to help carry out the 2017 NotPetya cyberattack on June 27, 2017 and reported to be used as part of the Retefe banking trojan since at least September 5, 2017.

References

  1. Bransford, Gene (2003-12-18). "The Welchia Worm". Global Information Assurance Certification. SANS Institute . Retrieved 2018-11-03.
  2. Naraine, Ryan (2003-08-19). "'Friendly' Welchia Worm Wreaking Havoc". InternetNews.com. Retrieved 2018-11-03.
  3. Labott, Elise (2003-09-24). "'Welchia worm' hits U.S. State Dept. network". CNN . Retrieved 2018-11-03.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.