New worm reportedly fixes RPC vulnerability

New worm reportedly fixes RPC vulnerability

If you haven't gotten around to patching your systems against MSBlaster, somebody may do it for you. A new worm has been reported that exploits the same vulnerability and installs the Microsoft Corp. patch.

A vulnerability in the Remote Procedure Call function in many Microsoft Windows lets intruders install and execute code on victim computers. Microsoft released a patch for the problem last month, but the MSBlaster worm last week infected hundreds of thousands of unprotected machines.

The new worm, named Welchia, appeared in Asia early Monday, said Ken Dunham, malicious code intelligence manager at iDefense Inc. of Reston, Va.

'Welchia attempts to patch against the RPC vulnerability and then remove itself from the infected computer,' Dunham said. 'It also attempts to remove the original MSBLAST.EXE worm code from the computer.'

Dunham said he has not completed a detailed analysis of the new worm, but by opening a port on a compromised machine it could leave it vulnerable to further exploits.

'Welchia masquerades as a 'good worm,' patching against the vulnerability,' he said. 'In reality, it opens TCP port 707 for an attacker to remotely control the computer.'

The best defense, against both MSBlaster and Welchia, is to install the Microsoft patch yourself.

'Some may call this a good virus, but it can cause all sorts of problems when patches are applied to a computer unbeknownst to the administrator,' Dunham said.

Some systems may have gone unpatched because of conflicts with other software or other compatibility problems. Unauthorized changes also interfere with configuration control.

'It is a breach of your privacy and security at a minimum,' Dunham said.

MSBlaster was programmed to launch a denial-of-service attack Aug. 16 against a Microsoft Web site where patches are available for download. But many administrators had time to remove the infection, and Microsoft removed the IP address from the target site, pulling the worm's teeth. The expected attack became a nonevent, but the worm has continued to spread.

Welchia appears to be programmed to remove itself from an infected computer in 2004. It creates the files DLLHOST.EXE and SVCHOST.EXE in the WINNT\SYSTEM32\WINS directory and opens port 707 on the infected computer. Monitoring TCP ports 707 and 135, which MSBlaster uses, could help identify the presence of malicious code, Dunham said.

About the Author

William Jackson is a Maryland-based freelance writer.


  • automated processes (Nikolay Klimenko/

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected