113:
and TCP on ports 666–765, and a buffer overflow of the RPC on port 135). Its method of infection is to create a remote shell and instruct the system to download the worm using TFTP.EXE. Specifically, the
Welchia worm targeted machines running Windows XP. The worm used
121:
Once on the system, the worm patches the vulnerability it used to gain access (thereby actually securing the system against other attempts to exploit the same method of intrusion) and run its payload, a series of
Microsoft patches. It then attempts to remove the
126:
by deleting MSBLAST.EXE. If still in the system, the worm is programmed to self-remove on
January 1, 2004, or after 120 days of processing, whichever comes first.
279:
153:
129:
In
September 2003, the worm was discovered on the US State Department's computer network, causing them to shut down their network for 9 hours for remediation.
470:
305:
400:
871:
358:
252:
106:. Welchia was successful in deleting Blaster, but Microsoft claimed that it was not always successful in applying their security patch.
272:
482:
410:
203:
115:
742:
581:
110:
310:
300:
265:
1005:
374:
91:. However, unlike Blaster, it first searches for and deletes Blaster if it exists, then tries to download and install
497:
477:
673:
747:
507:
814:
773:
522:
143:
123:
840:
835:
426:
405:
225:
148:
830:
804:
545:
84:
866:
379:
571:
637:
342:
663:
658:
695:
653:
555:
465:
395:
95:
92:
61:
550:
431:
487:
109:
This worm infected systems by exploiting vulnerabilities in
Microsoft Windows system code (
954:
616:
596:
576:
566:
174:
980:
923:
887:
683:
502:
182:
999:
944:
726:
591:
517:
118:, and in some instances flooded networks with enough ICMP traffic to cause problems.
77:
38:
918:
689:
606:
601:
452:
138:
103:
88:
928:
892:
789:
611:
540:
460:
897:
512:
437:
336:
970:
949:
99:
81:
102:
that would prevent further infection by
Blaster, so it is classified as a
975:
902:
861:
809:
721:
621:
492:
706:
257:
845:
586:
532:
799:
752:
757:
261:
229:
963:
937:
911:
880:
854:
823:
782:
766:
735:
714:
705:
672:
646:
630:
531:
451:
419:
388:
367:
351:
329:
322:
57:
52:
44:
34:
26:
21:
226:"'Welchia worm' hits U.S. State Dept. network"
154:Timeline of notable computer viruses and worms
273:
8:
711:
326:
280:
266:
258:
179:Global Information Assurance Certification
359:Sony BMG copy protection rootkit scandal
204:"'Friendly' Welchia Worm Wreaking Havoc"
253:Symantec information on Welchia / Nachi
165:
18:
80:that exploits a vulnerability in the
7:
14:
173:Bransford, Gene (2003-12-18).
1:
87:(RPC) service similar to the
690:Kaminsky DNS cache poisoning
434:(findings published in 2010)
224:Labott, Elise (2003-09-24).
202:Naraine, Ryan (2003-08-19).
1022:
293:
411:US military cyberattack
401:Cyberattacks on Georgia
375:Cyberattacks on Estonia
144:Blaster (computer worm)
406:Sarah Palin email hack
149:Sasser (computer worm)
546:Jeanson James Ancheta
85:remote procedure call
72:, also known as the "
380:Operation: Bot Roast
288:Hacking in the 2000s
1006:Exploit-based worms
343:Operation Firewall
206:. InternetNews.com
175:"The Welchia Worm"
993:
992:
989:
988:
471:associated events
447:
446:
396:Project Chanology
317:
316:
67:
66:
62:Microsoft Windows
53:Technical details
1013:
712:
563:str0ke (milw0rm)
432:Operation Aurora
327:
296:
295:
282:
275:
268:
259:
240:
239:
237:
236:
221:
215:
214:
212:
211:
199:
193:
192:
190:
189:
170:
19:
1021:
1020:
1016:
1015:
1014:
1012:
1011:
1010:
996:
995:
994:
985:
959:
933:
907:
876:
850:
819:
778:
762:
743:Anna Kournikova
731:
701:
676:
674:Vulnerabilities
668:
642:
626:
617:Dmitry Sklyarov
597:Albert Gonzalez
527:
443:
415:
384:
363:
347:
318:
289:
286:
249:
244:
243:
234:
232:
223:
222:
218:
209:
207:
201:
200:
196:
187:
185:
172:
171:
167:
162:
135:
17:
12:
11:
5:
1019:
1017:
1009:
1008:
998:
997:
991:
990:
987:
986:
984:
983:
978:
973:
967:
965:
961:
960:
958:
957:
952:
947:
941:
939:
935:
934:
932:
931:
929:Black Energy 1
926:
921:
915:
913:
909:
908:
906:
905:
900:
895:
890:
884:
882:
878:
877:
875:
874:
869:
864:
858:
856:
852:
851:
849:
848:
843:
838:
833:
827:
825:
821:
820:
818:
817:
812:
807:
802:
797:
792:
786:
784:
780:
779:
777:
776:
770:
768:
764:
763:
761:
760:
755:
750:
745:
739:
737:
733:
732:
730:
729:
724:
718:
716:
709:
703:
702:
700:
699:
693:
687:
684:Shatter attack
680:
678:
670:
669:
667:
666:
661:
656:
650:
648:
647:Hacking forums
644:
643:
641:
640:
634:
632:
628:
627:
625:
624:
619:
614:
609:
604:
599:
594:
589:
584:
579:
574:
569:
564:
561:
558:
553:
548:
543:
537:
535:
529:
528:
526:
525:
520:
515:
510:
505:
503:PLA Unit 61398
500:
495:
490:
485:
480:
475:
474:
473:
463:
457:
455:
449:
448:
445:
444:
442:
441:
435:
429:
427:Operation Troy
423:
421:
417:
416:
414:
413:
408:
403:
398:
392:
390:
386:
385:
383:
382:
377:
371:
369:
365:
364:
362:
361:
355:
353:
349:
348:
346:
345:
340:
333:
331:
324:
320:
319:
315:
314:
308:
303:
294:
291:
290:
287:
285:
284:
277:
270:
262:
256:
255:
248:
247:External links
245:
242:
241:
216:
194:
183:SANS Institute
164:
163:
161:
158:
157:
156:
151:
146:
141:
134:
131:
65:
64:
59:
55:
54:
50:
49:
46:
42:
41:
36:
32:
31:
28:
24:
23:
15:
13:
10:
9:
6:
4:
3:
2:
1018:
1007:
1004:
1003:
1001:
982:
979:
977:
974:
972:
969:
968:
966:
962:
956:
953:
951:
948:
946:
943:
942:
940:
936:
930:
927:
925:
922:
920:
917:
916:
914:
910:
904:
901:
899:
896:
894:
891:
889:
886:
885:
883:
879:
873:
870:
868:
865:
863:
860:
859:
857:
853:
847:
844:
842:
839:
837:
834:
832:
829:
828:
826:
822:
816:
813:
811:
808:
806:
803:
801:
798:
796:
793:
791:
788:
787:
785:
781:
775:
772:
771:
769:
765:
759:
756:
754:
751:
749:
746:
744:
741:
740:
738:
734:
728:
725:
723:
720:
719:
717:
713:
710:
708:
704:
697:
694:
691:
688:
685:
682:
681:
679:
675:
671:
665:
662:
660:
657:
655:
652:
651:
649:
645:
639:
636:
635:
633:
629:
623:
620:
618:
615:
613:
610:
608:
605:
603:
600:
598:
595:
593:
590:
588:
585:
583:
580:
578:
575:
573:
570:
568:
565:
562:
559:
557:
554:
552:
549:
547:
544:
542:
539:
538:
536:
534:
530:
524:
521:
519:
518:World of Hell
516:
514:
511:
509:
506:
504:
501:
499:
496:
494:
491:
489:
486:
484:
481:
479:
476:
472:
469:
468:
467:
464:
462:
459:
458:
456:
454:
450:
439:
436:
433:
430:
428:
425:
424:
422:
418:
412:
409:
407:
404:
402:
399:
397:
394:
393:
391:
387:
381:
378:
376:
373:
372:
370:
366:
360:
357:
356:
354:
350:
344:
341:
338:
335:
334:
332:
328:
325:
321:
313: →
312:
309:
307:
304:
302:
299:←
298:
297:
292:
283:
278:
276:
271:
269:
264:
263:
260:
254:
251:
250:
246:
231:
227:
220:
217:
205:
198:
195:
184:
180:
176:
169:
166:
159:
155:
152:
150:
147:
145:
142:
140:
137:
136:
132:
130:
127:
125:
119:
117:
112:
107:
105:
101:
97:
94:
90:
86:
83:
79:
78:computer worm
75:
71:
63:
60:
56:
51:
47:
43:
40:
39:Computer worm
37:
33:
29:
25:
20:
16:Computer worm
872:Sony rootkit
794:
638:Bluehell IRC
607:Dan Kaminsky
602:Sven Jaschan
233:. Retrieved
219:
208:. Retrieved
197:
186:. Retrieved
178:
168:
139:Helpful worm
128:
124:Blaster Worm
120:
108:
104:helpful worm
89:Blaster worm
73:
69:
68:
790:SQL Slammer
612:Samy Kamkar
533:Individuals
498:Level Seven
461:Ac1db1tch3z
440:(2008–2010)
339:(2003–2006)
677:discovered
664:darksun.ws
659:unkn0wn.eu
567:Lil Hacker
513:ShadowCrew
438:WebcamGate
337:Titan Rain
235:2018-11-03
210:2018-11-03
188:2018-11-03
160:References
74:Nachi worm
30:Nachi worm
971:Conficker
950:Agent.btz
478:Avalanche
466:Anonymous
323:Incidents
111:TFTPD.EXE
100:Microsoft
82:Microsoft
1000:Category
976:Koobface
955:Mariposa
903:Stration
898:Clickbot
862:PGPCoder
810:Graybird
748:Code Red
722:ILOVEYOU
696:sslstrip
654:ryan1918
631:Darknets
622:Stakkato
560:Digerati
556:Dshocker
523:Sandworm
493:GhostNet
306:Timeline
133:See also
93:security
76:", is a
58:Platform
981:Waledac
888:Rustock
815:Blaster
795:Welchia
727:Pikachu
707:Malware
577:camZero
96:patches
70:Welchia
22:Welchia
945:Asprox
846:Mydoom
841:Sasser
836:NetSky
774:Simile
698:(2009)
692:(2008)
686:(2002)
592:diabl0
587:Cyxymu
582:Coolio
551:SilenZ
453:Groups
45:Origin
919:Storm
831:Bagle
805:Gruel
800:Sobig
753:Nimda
541:AKill
488:0x1fe
311:2010s
301:1990s
98:from
27:Alias
964:2009
938:2008
924:ZeuS
912:2007
893:ZLOB
881:2006
867:Samy
855:2005
824:2004
783:2003
767:2002
758:Klez
736:2001
715:2000
572:BadB
483:GNAA
420:2009
389:2008
368:2007
352:2005
330:2004
116:ICMP
48:2003
35:Type
508:RBN
230:CNN
1002::
228:.
181:.
177:.
281:e
274:t
267:v
238:.
213:.
191:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.