FanPost

11/12 OT: Nachia worm

Welchia

The Welchia worm, also known as the "Nachia worm", is a computer worm that exploits a vulnerability in the Microsoft Remote procedure call (RPC) service similar to the Blaster worm. However, unlike Blaster, it tries to download and install security patches from Microsoft, so it is classified as a helpful worm.

This worm infected systems by exploiting vulnerabilities in Microsoft Windows system code (TFTPD.EXE and TCP on ports 666-765, and a buffer overflow of the RPC on port 135). Its method of infection is to create a remote shell and instruct the system to download the worm by TFTPD.EXE. TFTPD is only on certain operating systems, and, without it, the connection fails at this stage. Specifically, the Welchia worm targeted machines running Windows XP.

Once on the system, the worm would patch the vulnerability it used to gain access (thereby actually securing the system against other attempts to exploit the same method of intrusion) and run its payload, a series of Microsoft patches. It then would attempt to remove the "W32/Lovsan.worm.a" by deleting MSBLAST.EXE. If still in the system, the worm was programmed to self-remove on January 1, 2004, or after 120 days of processing, whichever would have come first.

X
Log In Sign Up

forgot?
Log In Sign Up

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

Join Lone Star Ball

You must be a member of Lone Star Ball to participate.

We have our own Community Guidelines at Lone Star Ball. You should read them.

Join Lone Star Ball

You must be a member of Lone Star Ball to participate.

We have our own Community Guidelines at Lone Star Ball. You should read them.

Spinner

Authenticating

Great!

Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.

tracking_pixel_9351_tracker