New worm attempts to remove MyDoom
- By William Jackson
- Feb 12, 2004
Welchia is up to its old tricks again. The worm first appeared last August in the wake of the MSBlaster worm, in an apparent attempt at automated patching against a serious vulnerability in Microsoft Windows.
A new version, Welchia.b, was reported yesterday by iDefense Inc. of Reston, Va. It exploits the same vulnerability as the first version, but appears to remove the current MyDoom worm from infected machines. It also carries an HTML document with a cryptic political message.
'Welchia.b has a kill date of June 1,' said Ken Dunham, director of malicious code for iDefense. 'This may indicate that a new variant of the worm may be planned for later this year.'
This year has already been a busy one for creators of malicious code and those who try to block it. Multiple variants of the MyDoom worm have swarmed over the Internet to infect vulnerable computers in the last two weeks.
MyDoom.a launched a successful denial-of-service attack against the Web site of SCO Group Inc. of Lindon, Utah, beginning Feb. 1. MyDoom.b continued the assault against SCO and also launched an attack against the Microsoft Web site. The b variant has not gained much traction, however, and has had little effect so far on the site. Both apparently are programmed to cease attacks today.
Microsoft this week announced a critical vulnerability in most versions of its Windows operating systems for servers and desktop computers.
'February 2004 is a black month in the history of computing, and it appears that it's only going to get worse,' Dunham said.
Welchia.b exploits a vulnerability announced last July in Windows Remote Procedure Call. This is the same vulnerability exploited by MSBlaster and Welchia.a. Like its predecessor, the new variant tries to patch that vulnerability, but it also looks for MyDoom versions a and b, attempting to remove them and overwriting the Hosts file to undo damage done by these worms.
That does not mean that Welchia is benign. It also opens TCP port 707, leaving machines vulnerable to further exploits. Unauthorized patching of computers can also cause problems because of software conflicts.
The HTML document contains apparent references to 20th century Japanese militarism.
Welchia.b is not expected to be a serious threat, because most systems have by now patched the RPC vulnerability.
William Jackson is a Maryland-based freelance writer.