New worm reportedly fixes RPC vulnerability

New worm reportedly fixes RPC vulnerability

If you haven't gotten around to patching your systems against MSBlaster, somebody may do it for you. A new worm has been reported that exploits the same vulnerability and installs the Microsoft Corp. patch.

A vulnerability in the Remote Procedure Call function in many Microsoft Windows lets intruders install and execute code on victim computers. Microsoft released a patch for the problem last month, but the MSBlaster worm last week infected hundreds of thousands of unprotected machines.

The new worm, named Welchia, appeared in Asia early Monday, said Ken Dunham, malicious code intelligence manager at iDefense Inc. of Reston, Va.

'Welchia attempts to patch against the RPC vulnerability and then remove itself from the infected computer,' Dunham said. 'It also attempts to remove the original MSBLAST.EXE worm code from the computer.'

Dunham said he has not completed a detailed analysis of the new worm, but by opening a port on a compromised machine it could leave it vulnerable to further exploits.

'Welchia masquerades as a 'good worm,' patching against the vulnerability,' he said. 'In reality, it opens TCP port 707 for an attacker to remotely control the computer.'

The best defense, against both MSBlaster and Welchia, is to install the Microsoft patch yourself.

'Some may call this a good virus, but it can cause all sorts of problems when patches are applied to a computer unbeknownst to the administrator,' Dunham said.

Some systems may have gone unpatched because of conflicts with other software or other compatibility problems. Unauthorized changes also interfere with configuration control.

'It is a breach of your privacy and security at a minimum,' Dunham said.

MSBlaster was programmed to launch a denial-of-service attack Aug. 16 against a Microsoft Web site where patches are available for download. But many administrators had time to remove the infection, and Microsoft removed the IP address from the target site, pulling the worm's teeth. The expected attack became a nonevent, but the worm has continued to spread.

Welchia appears to be programmed to remove itself from an infected computer in 2004. It creates the files DLLHOST.EXE and SVCHOST.EXE in the WINNT\SYSTEM32\WINS directory and opens port 707 on the infected computer. Monitoring TCP ports 707 and 135, which MSBlaster uses, could help identify the presence of malicious code, Dunham said.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected