Welchia/Nachi Worm: Vigilante or Poor Disguise?

A new worm is on the loose, which exploits the remote procedure call (RPC)/Distributed COM (DCOM) security problem. The worm, Welchia/Nachi, attempts to infiltrate a system and force it to install Microsoft's RPC/DCOM patch, which amounts to vigilantism. But is the worm really trying to protect users?

Reports state that the worm will try to uninstall itself. That seems innocent enough and a decent thing to do after patching somebody's systems. The problem is that not only is the worm an invasion in that users didn't asked for a worm to patch their systems, but also the worm doesn't try to uninstall itself until 2004.

Furthermore, reports state that the worm opens up port 707 without alerting the user. So much for the notion of a benevolent worm—there's no such thing.

According to Network Associates, the worm also creates two files on users' systems in the %systemroot%\System32\Wins directory. The files masquerade as legitimate system files. One file, dllhost.exe, is the worm; another file, svchost.exe, is actually a Trivial FTP (TFTP) program. The two programs are also installed as system services, with the names "Wins Client" and "Network Connections Sharing," which makes it more difficult for someone to recognize the services as Trojan horses.

Obviously the object of the game here isn't to actually protect users by installing patches for them. Instead, the game is to infiltrate vulnerable systems and to patch the door it used to enter the system, locking out any other intruders. King of the hill, with a twist.

Users should consider loading Microsoft's patch to help protect against all intrusion on RPC/DCOM-related ports. However, users who have a firewall in place that block related ports (see the Security UPDATE article "ISC Detects RPC/DCOM Worm"), including the port used by this latest worm (port 707), are probably already protected against intrusion.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.