Neuer Wurm: W32.Welchia.Worm entfernt Blaster

Published by

Das witzige am neuen Wurm ist, das er den Wurm W32.Blaster.Worm/LoveSan vernichtet. Das Würmchen nennt sich W32.Welchia.Worm oder auch W32/Welchia.worm10240 [AhnLab], W32/Nachi.worm [McAfee], WORM_MSBLAST.D [Trend], Lovsan.D [F-Secure].

Das Würmchen scheint ganz nett zu sein. Es sucht nach der msblast.exe und löscht sie und fordert bei Microsoft den MS03-026-Patch an, installiert ihn und löst einen Reboot aus. Im genauen beschreibt das vorgehen des Wurms Symantec so:

When W32.Welchia.Worm is executed, it preforms the following actions:

Copies the file:

%System%Dllhost.exe

and registers itself as a service.

NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).

Makes a copy of %System%DllcacheTftp.exe, names it Svchost.exe, and copies it to the %System%Wins folder.

NOTE: Svchost.exe is a legitimate program. It is not malicious and therefore Symantec antivirus products do not detect them. You will have to delete them manually.

Ends the process Msblast.exe, dropped by the W32.Blaster.Worm, if the process is running.

Deletes the Msblast.exe file.

Checks the computer's operating system version and Service Pack number.

Generates an IP address and scans for computers using ICMP ping packets. IP addresses are generated according to the following algorithm: The IP address is in the form of A.B.C.D, where A and B are taken from the Local Area Network. The worm starts C and D at 0, and then increments D by 1, until it reaches 255.
When D reaches 255, it increments C by 1 and resets D to 0.
This pattern continues until the IP address reaches A.B.255.255.

Sends data to TCP port 135 that may exploit the DCOM RPC vulnerability.

Creates a remote shell on the vulnerable host, and opens a connection to TCP port 707 on the attacking computer.

Launches the TFTP server on the vulnerable host, connects to the attacker, and downloads Dllhost.exe and Svchost.exe.

Attempts to connect to Microsoft's Windows Update and download the DCOM RPC vulnerability patch.

Once the update has been download and executed, the worm will reboot the computer so that the patch is installed.

Checks the computer's system date. If the date is January 1, 2004, the worm will disable itself.

Ob der Wurm ansonsten schädliche Aktionen ausführt ist noch nicht bekannt. Symantec wird das untersuchen und berichten.

Mehr Infos
Quelle