What is the Welchia Virus?

Created to remove the Blaster worm, the Welchia virus was quickly reversed by cybersecurity researchers.

The Welchia worm, more commonly known as the Nachi worm, is among the most unique computer viruses as it was created to be helpful rather than harmful. On May 28, 2003, Microsoft released a patch to protect users from an exploit in WebDAV. However, it didn’t take long for cybersecurity researchers from Xfocus to reverse engineer the patch to allow for the worm to attack. Blaster was programmed to start an SYN flood against port 80 of windowsupdate.com to cause a distributed denial-of-service attack (DDoS). Blaster contained two messages. The first said ‘I just want to say LOVE YOU SAN!!’ The second said ‘billy gates why do you make this possible? Stop making money and fix your software!!’.

The Welchia worm exploits the Microsoft remote procedure call (RPC) service much like Blaster. However, the first task it performed was to search for and delete any instance of Blaster on the device. Then, it attempted to download and install security patches from Microsoft that would prevent Blaster from infecting Windows computers again. Welchia was incredibly successful in ridding the world of the Blaster worm, earning Welchia a reputation for being a helpful worm also called Nematodes after a species of worm that kills garden pests.

Microsoft claimed that Welchia wasn’t always successful in applying the security patch. Even if Welchia was intended to be helpful rather than malicious code, Microsoft saw the worm as a nuisance that undermined consumer confidence in Windows. Some security experts believed that Welchia was far too resource-intensive and stated that the cure is worse than the disease. Regardless, Welchia was designed to perform its task and then delete itself at the start of 2004.

Other names for the Welchia virus include:

  • MSBLAST.D
  • Nachi Worm
  • Welchia Worm
  • Worm.Blaster.D
  • Win32.HLLW.LoveSan.2
  • Net-Worm.Win32.Welchia.a
  • W32/Nachi.worm.a
  • W32/Nachi-A
  • W32.Welchia.Worm
  • WORM_NACHI.A

How Does the Welchia Virus Work?

The Nachi worm was designed by ‘white hat’ hackers to get rid of another worm known as Blaster, which did contain malicious code. It worked by exploiting the behavior of the DCOM RPC in Microsoft’s Windows operating system. First, a machine being targeted received an ICMP echo request, more commonly called a PING, to see if the IP address is valid. Then, it either used a vulnerability in the DCOM RPC or exploited a separate vulnerability in WebDAV. Once a connection had been established, the attacking machine would create a remote shell on a random port between 666 and 765 to send instructions. In most cases, the 707 port was selected.

From there, the target machine would be instructed to download the worm through trivial file transfer protocol (TFTP) into the system folder subdirectory “Wins” as dllhost.exe and run it. The Nachi worm would then check the system folders for a file named tftpd.exe to ensure that, once the operation was complete, it could send a copy of itself to another computer. After the propagation process was ensured, Welchia moved on to end the MSBLAST process and deleted the MSBLAST.exe file. It checked the registry to see if the RPC vulnerability patch from Microsoft had been installed. If it hadn’t, it would download and install the patch to the computer. Once the entire process was complete, Welchia rebooted the computer to complete the installation.

To remove Blaster completed, the Nachi worm would begin to spread to other Windows computers by selecting IP addresses based on the IP address on the current system. Each IP address would be sent a PING to confirm if there was a machine to infect where the process would repeat. The Nachi worm deleted itself when the year changed to 2004.

Unintended Effects of the Nachi Worm

While Welchia was created to be a helpful worm rather than malware, it did have consequences that threatened system safety for the Navy and businesses alike. IT departments saw it as a huge issue for cybersecurity and gained headaches trying to form prevention protocols. The Nachi worm wasn’t malicious code, but it was incredibly resourced intensive. The infection, or propagation process, caused business servers and Navy servers to be stalled for long enough to be more than a nuisance. With some corporate tasks, the requirement for the server to shut down to complete the infection/installation interrupted important tasks and had unintended effects.

The two most notable unintended effects of the Nachi worm affected the Navy-Marine Corps and the State Department. The Navy intranet was hit hard by the worm as it had no means for prevention or safety if the symptoms of the worm caused a network shutdown, which it did. While it isn’t known how many of the systems were infected by the ‘white hat’ hacker malware worm designed to remove the Blaster worm, it is reported that it caused three-quarters of the Navy’s intranet capacity to be used during the propagation process which rendered the intranet virtually useless for some time.

The State Department network felt the effects even more. The department’s network was forced to shut down for nine hours due to resource usage and the detection of possible malware in the system. The State Department’s Consular Lookout and Support System (CLASS), which holds more than 12.8 million records from the FBI, State Department, U.S. immigration, drug-enforcement, and intelligence agencies were put to a dead stop. As the Nachi worm was detected as a computer virus, the U.S. visa system was forced to place thousands of visa candidates in a state of limbo as the State Department had no safety net in the form of a backup system to handle the issue.

Government representatives never explicitly stated what malicious program had infected their systems. However, there was a message sent to American embassies and consular offices that stated the Welchia virus had been found at one facility. Due to the pertinent need for data safety, the State Department shut down the overall system to isolate and remove the worm.

Symptoms of a Welchia Virus Infection

As the Nachi worm was not created with malicious code, there aren’t a slew of symptoms it caused. The only issue to occur due to the Welchia virus was a massive system slowdown due to the resource-intensive nature of the propagation technique used. It also caused machines to restart once the process of installing Microsoft security updates and patches was completed.

How to Get Rid of the Welchia Virus

The Welchia virus was encoded with instructions to remove itself at the onset of 2004, assuming that by the beginning of that year all instances of the Blaster worm would be eradicated. It completed its job even though it may have upset some business owners, the Navy, and the State Department while doing so. No hacker has repurposed or attempted to recreate the Welchia virus since. In some cases, Antivirus programmers have taken the code to be used for cybersecurity purposes.

The Best Antivirus Software for the Welchia Virus

The Welchia virus was designed as what could be called an ‘antivirus’ virus. It had one specific purpose with coded instructions to remove itself at the start of 2004. Today, any form of antivirus, Windows Defender, or firewall could prevent the worm from proliferating across systems. As its purpose has been fulfilled, there is no need to worry about the prevention or need to get rid of the Nachi worm.

Antiviruses to Consider:

Bitdefender Total Security 2022 – Complete Antivirus and Internet Security Suite – 5 Devices | 2 year Subscription | PC/Mac | Activation Code by Mail
  • SPEED-OPTIMIZED, CROSS-PLATFORM PROTECTION: World-class antivirus security and cyber protection for Windows (Windows 8, Windows 8.1, Windows 10, and Windows 11), Mac OS (macOS X Yosemite 10.10 or later), iOS (11.2 or later), and Android (5.0 or later). Organize and keep your digital life safe from hackers
  • SAFE ONLINE BANKING: A unique, dedicated browser secures your online transactions; Our Total Security product also includes 200MB per day of our new and improved Bitdefender VPN
  • ADVANCED THREAT DEFENSE: Real-Time Data Protection, Multi-Layer Malware and Ransomware Protection, Social Network Protection, Game/Movie/Work Modes, Microphone Monitor, Webcam Protection, Anti-Tracker, Phishing, Fraud, and Spam Protection, File Shredder, Parental Controls, and more
  • NO CREDIT CARD REQUIRED: Subscription does not automatically renew (unless your account was previously set up to do so)
  • ECO-FRIENDLY PACKAGING: Your product-specific code is printed on a card and shipped inside a protective cardboard sleeve. Simply open packaging and scratch off security ink on the card to reveal your activation code. No more bulky box or hard-to-recycle discs
Malwarebytes Premium 4.5 Latest Version 2022 Antivirus Software | 5 Device 1 Year (PC, Mac, Android) [software_key_card]
  • PROTECTS YOUR DEVICES ON MULTIPLE PLATFORMS: Compatible with Windows, Mac, Android devices.
  • UNMATCHED THREAT DETECTION: We found malware on 29 percent of devices that already had a third-party antivirus installed. That’s the power of our innovative technology. We block sophisticated cyberthreats that other programs miss, providing an effective way to secure your devices and data.
  • INCREDIBLY EASY TO USE: Our simple user interface enables you to fully control your protection to meet your needs without requiring technical expertise. You can schedule scans, adjust protection layers, and choose your desired scan mode. Protecting your devices shouldn’t be complicated.
  • ADVANCED MALWARE, RANSOMWARE PROTECTION: Helps protect you from websites that download ransomware, steal login credentials, or run scams. Reduces your exposure to hackers and cyberthreats while protecting your devices and data.
  • PROACTIVE EXPLOIT, AND VIRUS PROTECTION: Protection from the financial and reputational risk posed by a ransomware attack. Shields your device and data from vulnerable and unpatched software until it can be updated. Malwarebytes finds more threats compared to traditional antivirus programs so you can restore your device quickly to its pre-infection state.
Sale
Webroot Antivirus Software 2023 | 3 Device | 1 Year Download for PC/Mac
  • POWERFUL, LIGHTNING-FAST ANTIVIRUS: Protects your computer from viruses and malware through the cloud; Webroot scans faster, uses fewer system resources and safeguards your devices in real-time by identifying and blocking new threats
  • IDENTITY THEFT PROTECTION: Protects your usernames, account numbers and other personal information against keyloggers, spyware and other online threats targeting valuable personal data
  • REAL-TIME ANTI-PHISHING: Proactively scans websites, emails and other communications and warns you of potential danger before you click to effectively stop malicious attempts to steal your personal information
  • ALWAYS UP TO DATE: Webroot scours 95% of the Internet three times per day including billions of web pages, files and apps to determine what is safe online and enhances the software automatically without time-consuming updates
ESET NOD32 Antivirus | 2022 Edition | 1 Device | 1 Year | Antivirus Software | Gamer Mode | Small System Footprint | Official Download with License
  • Protects you against all types of malware, including viruses, ransomware, rootkits, worms and spyware.
  • Simple reliable protection. Protects your private data from ransomware and phishing with easy-to-use internet security.
  • Light footprint & won't slow you down. Enjoy the full power of your computer. Play, work and browse the internet without slowdowns.
  • English (Playback Language)
  • English (Subtitle)
Sale
McAfee Total Protection 2022 | 5 Device | Antivirus Internet Security Software | VPN, Password Manager, Dark Web Monitoring | 1 Year Subscription | Download Code
  • AWARD WINNING ANTIVIRUS: Rest easy knowing McAfee’s protecting you from the latest threats
  • PROTECT YOUR IDENTITY:  We'll monitor your life online, from bank account numbers, credit cards, to your emails and more.
  • BROWSE CONFIDENTLY AND PRIVATELY: Secure VPN keeps your info safe from prying eyes
  • SEE HOW SAFE YOU ARE BEING ONLINE: Get your personalized protection score, identify weaknesses and get help to fix them.
  • BANK, SHOP and CONNECT WORRY-FREE: be warned about risky websites before you click
Sale
Norton AntiVirus Plus, 2023 Ready, Antivirus software for 1 Device with Auto-Renewal - Includes Password Manager, Smart Firewall and PC Cloud Backup [Download]
  • ONGOING PROTECTION Download instantly & install protection for your PC or Mac in minutes!
  • REAL-TIME THREAT PROTECTION Advanced security protects against existing and emerging malware threats, including ransomware and viruses, and it won’t slow down your device performance
  • PASSWORD MANAGER Easily create, store, and manage your passwords, credit card information and other credentials online – safely and securely
  • SMART FIREWALL Monitors communications between your computer and other computers and blocks unauthorized traffic, helping protect your personal files and financial information
  • 2GB SECURE PC CLOUD BACKUP store and help protect important files as a preventative measure to hard drive failures, stolen devices and even ransomware***

Are you interested in learning about other computer viruses? Check out our complete guide!

Last update on 2022-11-21 / Affiliate links / Images from Amazon Product Advertising API

The Welchia Virus: How it Works and How to Protect Yourself FAQs (Frequently Asked Questions) 

How does a Welchia virus work?

The Welchia virus was designed to find every computer it could by using PINGs to IP addresses to other networked devices. Once the PING confirmed the IP address as a valid computer, it would choose one of two exploits to gain access to the target computer. It did so either through a vulnerability in DCOM RPC or a vulnerability in WebDAV. Whichever method was successful, the worm would patch to prevent further attacks once installed.

The Nachi worm would then install tftpd.exe to travel to the next computer and make its way to every device connected to the internet. Once the means for propagation was secure, the Welchia virus sought out and destroyed any instance of the Blaster worm on the target device. The worm would then begin the process to move to the next computer, repeatedly. This was intended to completely remove the Blaster worm from existence. The hacker behind the code also wrote instructions for the worm to remove itself at the start of 2004 putting an end to both the Blaster worm and the Welchia virus.

How can you protect yourself from a Welchia virus?

The Welchia virus was a one-off event that was never intended to be replicated. There is no need to worry about it in the modern-day other than as a historical moment for cybersecurity.

Who created the Welchia virus?

To this day, the origin of the Welchia virus is still unknown. The creation and spreading of a computer virus, even if it has benevolent intentions, can be considered illegal especially because it affected State Department systems and the intranet of the Navy. No one has claimed ownership of the code nor has an origin been identified. The only clue the virus contained was the following text strings:

‘I love my wife & baby 🙂
Welcome Chian
Notice: 2004 will remove myself 🙂
Sorry zhongli’

While this may implicate the creator of the worm as being Chinese, it is not definitively known.

Where does a Welchia virus come from?

There have been no official results of an investigation that could point to the true origin of the Welchia virus. The note contained in the code as a text string may implicate the origin of a Chinese cybersecurity researcher. However, there is no evidence to prove this assertion.

How do worm viruses work?

A computer worm is a type of malware or software that spreads copies of itself from one device to another without the need for human interaction. First, a worm must gain access to a targeted device through vulnerability. Once access is granted, the worm goes about installing itself in specific locations and giving itself registry key access without the knowledge of a computer’s owner. The worm can be programmed to do just about anything from that point on like depleting system resources, overloading network bandwidth, or modifying/deleting stored data. The only specific function required for malware to be classified as a worm is that it can replicate itself from one computer to another.

When was the Welchia virus created?

The Welchia virus was discovered and likely created in July of 2003. The virus was officially discovered on July 18, 2003. It was also programmed to delete itself at the beginning of 2004.

Who did the Welchia virus affect?

The Welchia virus made its way to nearly every device that was connected to the internet in 2003. It was intended to eradicate the malicious Blaster worm that had found its way to Windows computers and servers through RPC and WebDAV vulnerabilities. Most notably, it caused a serious disruption on the Navy intranet and with the State Department’s CLASS network resulting in a nine-hour shutdown of issuing visas.

What was the Welchia virus created for?

The Welchia virus was created to remove a malicious worm known as the Blaster worm. It did so by using the same vulnerabilities that the Blaster worm did to reach every networked device it could. Once the Welchia virus was installed to a target computer, it patched the vulnerability it used to gain access, removed any instance of the Blaster virus, and began to send itself to the next computer. It was designed to remove itself from existence at the start of the year 2004.

About the Author

More from History-Computer

  • wiki dot Available here: http://virus.wikidot.com/welchia
  • internet news Available here: https://www.internetnews.com/enterprise/friendly-welchia-worm-wreaking-havoc/
  • computer weekly Available here: https://www.computerweekly.com/news/2240052722/Welchia-virus-disrupts-US-State-Dept-network
  • pc hell Available here: https://www.pchell.com/virus/welchia.shtml
  • tech republic Available here: https://www.techrepublic.com/article/lock-it-down-blaster-welchia-and-sobigf-pose-triple-threat-to-networks/
  • es.ocfs.ny.gov Available here: https://es.ocfs.ny.gov/connect/security/blaster%20and%20welchia%20virus%20worm%20update%20communication%208-26-03.pdf
  • democratic underground Available here: https://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=104x243826
  • esj Available here: https://esj.com/articles/2003/10/15/state-department-blames-welchia-virus-for-shutdown.aspx
  • hardware networkings Available here: https://hardwarenetworkings.blogspot.com/2010/08/what-is-welchia-worm-aka-msblastd.html
  • cybereason Available here: https://www.cybereason.com/blog/what-is-the-blaster-worm
  • Norton Available here: https://us.norton.com/internetsecurity-malware-what-is-a-computer-worm.html