The Welchia Virus: How it Works and How to Protect Yourself

computer virus

The Welchia Virus: How it Works and How to Protect Yourself

Key Points:
  • Welchia was successful in ridding the world of the Blaster worm, earning it a reputation for being a helpful worm, also called Nematodes after a species of worm that kills garden pests.
  • While Welchia was created to be a helpful worm rather than malware, it did have consequences that threatened system safety for the Navy and businesses alike.
  • The only issue to occur due to the Welchia virus was a massive system slowdown due to the resource-intensive nature of the propagation technique used.

What is the Welchia Virus?

Created to remove the Blaster worm, the Welchia virus was quickly reversed by cybersecurity researchers.

The Welchia worm, more commonly known as the Nachi worm, is among the most unique computer viruses as it was created to be helpful rather than harmful. On May 28, 2003, Microsoft released a patch to protect users from an exploit in WebDAV. However, it didn’t take long for cybersecurity researchers from Xfocus to reverse engineer the patch to allow for the worm to attack. Blaster was programmed to start an SYN flood against port 80 of windowsupdate.com to cause a distributed denial-of-service attack (DDoS). Blaster contained two messages. The first said ‘I just want to say LOVE YOU SAN!!’ The second said ‘billy gates why do you make this possible? Stop making money and fix your software!!’.

The Welchia worm exploits the Microsoft remote procedure call (RPC) service much like Blaster. However, the first task it performed was to search for and delete any instance of Blaster on the device. Then, it attempted to download and install security patches from Microsoft that would prevent Blaster from infecting Windows computers again. Welchia was incredibly successful in ridding the world of the Blaster worm, earning Welchia a reputation for being a helpful worm also called Nematodes after a species of worm that kills garden pests.

Microsoft claimed that Welchia wasn’t always successful in applying the security patch. Even if Welchia was intended to be helpful rather than malicious code, Microsoft saw the worm as a nuisance that undermined consumer confidence in Windows. Some security experts believed that Welchia was far too resource-intensive and stated that the cure is worse than the disease. Regardless, Welchia was designed to perform its task and then delete itself at the start of 2004.

Other names for the Welchia virus include:

  • Nachi Worm
  • Welchia Worm
  • Worm.Blaster.D
  • Win32.HLLW.LoveSan.2
  • Net-Worm.Win32.Welchia.a
  • W32/Nachi.worm.a
  • W32/Nachi-A
  • W32.Welchia.Worm

How Does the Welchia Virus Work?

The Nachi worm was designed by ‘white hat’ hackers to get rid of another worm known as Blaster, which did contain malicious code. It worked by exploiting the behavior of the DCOM RPC in Microsoft’s Windows operating system. First, a machine being targeted received an ICMP echo request, more commonly called a PING, to see if the IP address is valid. Then, it either used a vulnerability in the DCOM RPC or exploited a separate vulnerability in WebDAV. Once a connection had been established, the attacking machine would create a remote shell on a random port between 666 and 765 to send instructions. In most cases, the 707 port was selected.

From there, the target machine would be instructed to download the worm through trivial file transfer protocol (TFTP) into the system folder subdirectory “Wins” as dllhost.exe and run it. The Nachi worm would then check the system folders for a file named tftpd.exe to ensure that, once the operation was complete, it could send a copy of itself to another computer. After the propagation process was ensured, Welchia moved on to end the MSBLAST process and deleted the MSBLAST.exe file. It checked the registry to see if the RPC vulnerability patch from Microsoft had been installed. If it hadn’t, it would download and install the patch to the computer. Once the entire process was complete, Welchia rebooted the computer to complete the installation.

To remove Blaster completed, the Nachi worm would begin to spread to other Windows computers by selecting IP addresses based on the IP address on the current system. Each IP address would be sent a PING to confirm if there was a machine to infect where the process would repeat. The Nachi worm deleted itself when the year changed to 2004.

While Welchia was created to be a helpful worm, it did create threatened system safety for the Navy and countless other businesses.

Unintended Effects of the Nachi Worm

While Welchia was created to be a helpful worm rather than malware, it did have consequences that threatened system safety for the Navy and businesses alike. IT departments saw it as a huge issue for cybersecurity and gained headaches trying to form prevention protocols. The Nachi worm wasn’t malicious code, but it was incredibly resourced intensive. The infection, or propagation process, caused business servers and Navy servers to be stalled for long enough to be more than a nuisance. With some corporate tasks, the requirement for the server to shut down to complete the infection/installation interrupted important tasks and had unintended effects.

The two most notable unintended effects of the Nachi worm affected the Navy-Marine Corps and the State Department. The Navy intranet was hit hard by the worm as it had no means for prevention or safety if the symptoms of the worm caused a network shutdown, which it did. While it isn’t known how many of the systems were infected by the ‘white hat’ hacker malware worm designed to remove the Blaster worm, it is reported that it caused three-quarters of the Navy’s intranet capacity to be used during the propagation process which rendered the intranet virtually useless for some time.

The State Department network felt the effects even more. The department’s network was forced to shut down for nine hours due to resource usage and the detection of possible malware in the system. The State Department’s Consular Lookout and Support System (CLASS), which holds more than 12.8 million records from the FBI, State Department, U.S. immigration, drug-enforcement, and intelligence agencies were put to a dead stop. As the Nachi worm was detected as a computer virus, the U.S. visa system was forced to place thousands of visa candidates in a state of limbo as the State Department had no safety net in the form of a backup system to handle the issue.

Government representatives never explicitly stated what malicious program had infected their systems. However, there was a message sent to American embassies and consular offices that stated the Welchia virus had been found at one facility. Due to the pertinent need for data safety, the State Department shut down the overall system to isolate and remove the worm.

Symptoms of a Welchia Virus Infection

As the Nachi worm was not created with malicious code, there aren’t a slew of symptoms it caused. The only issue to occur due to the Welchia virus was a massive system slowdown due to the resource-intensive nature of the propagation technique used. It also caused machines to restart once the process of installing Microsoft security updates and patches was completed.

How to Get Rid of the Welchia Virus

The Welchia virus was encoded with instructions to remove itself at the onset of 2004, assuming that by the beginning of that year all instances of the Blaster worm would be eradicated. It completed its job even though it may have upset some business owners, the Navy, and the State Department while doing so. No hacker has repurposed or attempted to recreate the Welchia virus since. In some cases, Antivirus programmers have taken the code to be used for cybersecurity purposes.

The Best Antivirus Software for the Welchia Virus

The Welchia virus was designed as what could be called an ‘antivirus’ virus. It had one specific purpose with coded instructions to remove itself at the start of 2004. Today, any form of antivirus, Windows Defender, or firewall could prevent the worm from proliferating across systems. As its purpose has been fulfilled, there is no need to worry about the prevention or need to get rid of the Nachi worm.

Antiviruses to Consider:

Great Features
Bitdefender Total Security 2023 – Complete Antivirus and Internet Security Suite – 5 Devices | 2 year Subscription | PC/Mac | Activation Code by Mail
  • Rated #1 by PC Mag for 2023
  • Compatible with Windows (8.0, 8.1, 10, and 11), Mac (macOS X Yosemite 10.10 and later), iOS (11.2 and later), and Android (5.0 and later)
  • Dedicated browser secures your online transactions
  • Advanced features like web protection tools, parental controls, file shredder, firewall, VPN, and anti-tracker
  • Will not automatically renew
We earn a commission if you make a purchase, at no additional cost to you.
01/17/2024 02:10 am GMT
Malwarebytes Premium 4.5 Latest Version 2022 Antivirus Software | 5 Device 1 Year (PC, Mac, Android) [software_key_card]
  • PROTECTS YOUR DEVICES ON MULTIPLE PLATFORMS: Compatible with Windows, Mac, Android devices.
  • UNMATCHED THREAT DETECTION: We found malware on 29 percent of devices that already had a third-party antivirus installed. That’s the power of our innovative technology. We block sophisticated...
  • INCREDIBLY EASY TO USE: Our simple user interface enables you to fully control your protection to meet your needs without requiring technical expertise. You can schedule scans, adjust protection...
  • ADVANCED MALWARE, RANSOMWARE PROTECTION: Helps protect you from websites that download ransomware, steal login credentials, or run scams. Reduces your exposure to hackers and cyberthreats while...
  • PROACTIVE EXPLOIT, AND VIRUS PROTECTION: Protection from the financial and reputational risk posed by a ransomware attack. Shields your device and data from vulnerable and unpatched software until it...
We earn a commission if you make a purchase, at no additional cost to you.
01/17/2024 07:50 am GMT
Webroot Antivirus Software 2023 | 3 Device | 1 Year Download for PC/Mac
  • POWERFUL, LIGHTNING-FAST ANTIVIRUS: Protects your computer from viruses and malware through the cloud; Webroot scans faster, uses fewer system resources and safeguards your devices in real-time by...
  • IDENTITY THEFT PROTECTION: Protects your usernames, account numbers and other personal information against keyloggers, spyware and other online threats targeting valuable personal data
  • REAL-TIME ANTI-PHISHING: Proactively scans websites, emails and other communications and warns you of potential danger before you click to effectively stop malicious attempts to steal your personal...
  • ALWAYS UP TO DATE: Webroot scours 95% of the Internet three times per day including billions of web pages, files and apps to determine what is safe online and enhances the software automatically...
We earn a commission if you make a purchase, at no additional cost to you.
01/17/2024 06:50 pm GMT
ESET NOD32 Antivirus | 2023 Edition | 1 Device | 1 Year | Antivirus Software | Gamer Mode | Small System Footprint | Official Download with License
  • Protects you against all types of malware, including viruses, ransomware, rootkits, worms and spyware.
  • Simple reliable protection. Protects your private data from ransomware and phishing with easy-to-use internet security.
  • Light footprint & won't slow you down. Enjoy the full power of your computer. Play, work and browse the internet without slowdowns.
We earn a commission if you make a purchase, at no additional cost to you.
01/17/2024 02:24 am GMT
McAfee Total Protection 2022 | 5 Device | Antivirus Internet Security Software | VPN, Password Manager, Dark Web Monitoring | 1 Year Subscription | Download Code
  • MCAFEE TOTAL PROTECTION IS ALL-IN-ONE PROTECTION – antivirus, security, identity, and privacy protection for 5 devices​ for 1 year
  • SECURE VPN – Stay private and secure on public Wi-Fi with VPN that can connect automatically when you need it
  • MONITOR UP TO 10 EMAILS ON THE DARK WEB - If your info is found we'll notify you so you can act before your info ends up in the wrong hands
  • CHECK THE HEALTH OF YOUR ONLINE PROTECTION – our industry-first Protection Score will identify weak spots and guide you to improve your security​
  • PASSWORD MANAGER - Secure your accounts by generating and storing complex passwords and auto-filling your info for faster logins across devices
We earn a commission if you make a purchase, at no additional cost to you.
01/17/2024 08:24 am GMT
Excellent Customization Options
Norton AntiVirus Plus, 2023, Antivirus software for 1 Device with Auto-Renewal [Download]
  • Download and install instantly
  • Real-time protection from malware
  • Safely and securely store your passwords with password manager
  • Firewall blocks unauthorized traffic
  • 2GB of PC Cloud backup
We earn a commission if you make a purchase, at no additional cost to you.
01/16/2024 11:29 pm GMT

Are you interested in learning about other computer viruses? Check out our complete guide!

Up Next…

Frequently Asked Questions

How does a Welchia virus work?

The Welchia virus was designed to find every computer it could by using PINGs to IP addresses to other networked devices. Once the PING confirmed the IP address as a valid computer, it would choose one of two exploits to gain access to the target computer. It did so either through a vulnerability in DCOM RPC or a vulnerability in WebDAV. Whichever method was successful, the worm would patch to prevent further attacks once installed.

The Nachi worm would then install tftpd.exe to travel to the next computer and make its way to every device connected to the internet. Once the means for propagation was secure, the Welchia virus sought out and destroyed any instance of the Blaster worm on the target device. The worm would then begin the process to move to the next computer, repeatedly. This was intended to completely remove the Blaster worm from existence. The hacker behind the code also wrote instructions for the worm to remove itself at the start of 2004 putting an end to both the Blaster worm and the Welchia virus.

How can you protect yourself from a Welchia virus?

The Welchia virus was a one-off event that was never intended to be replicated. There is no need to worry about it in the modern-day other than as a historical moment for cybersecurity.

Who created the Welchia virus?

To this day, the origin of the Welchia virus is still unknown. The creation and spreading of a computer virus, even if it has benevolent intentions, can be considered illegal especially because it affected State Department systems and the intranet of the Navy. No one has claimed ownership of the code nor has an origin been identified. The only clue the virus contained was the following text strings:

‘I love my wife & baby 🙂
Welcome Chian
Notice: 2004 will remove myself 🙂
Sorry zhongli’

While this may implicate the creator of the worm as being Chinese, it is not definitively known.

Where does a Welchia virus come from?

There have been no official results of an investigation that could point to the true origin of the Welchia virus. The note contained in the code as a text string may implicate the origin of a Chinese cybersecurity researcher. However, there is no evidence to prove this assertion.

How do worm viruses work?

A computer worm is a type of malware or software that spreads copies of itself from one device to another without the need for human interaction. First, a worm must gain access to a targeted device through vulnerability. Once access is granted, the worm goes about installing itself in specific locations and giving itself registry key access without the knowledge of a computer’s owner. The worm can be programmed to do just about anything from that point on like depleting system resources, overloading network bandwidth, or modifying/deleting stored data. The only specific function required for malware to be classified as a worm is that it can replicate itself from one computer to another.

When was the Welchia virus created?

The Welchia virus was discovered and likely created in July of 2003. The virus was officially discovered on July 18, 2003. It was also programmed to delete itself at the beginning of 2004.

Who did the Welchia virus affect?

The Welchia virus made its way to nearly every device that was connected to the internet in 2003. It was intended to eradicate the malicious Blaster worm that had found its way to Windows computers and servers through RPC and WebDAV vulnerabilities. Most notably, it caused a serious disruption on the Navy intranet and with the State Department’s CLASS network resulting in a nine-hour shutdown of issuing visas.

What was the Welchia virus created for?

The Welchia virus was created to remove a malicious worm known as the Blaster worm. It did so by using the same vulnerabilities that the Blaster worm did to reach every networked device it could. Once the Welchia virus was installed to a target computer, it patched the vulnerability it used to gain access, removed any instance of the Blaster virus, and began to send itself to the next computer. It was designed to remove itself from existence at the start of the year 2004.

To top