- Welchia was successful in ridding the world of the Blaster worm, earning it a reputation for being a helpful worm, also called Nematodes after a species of worm that kills garden pests.
- While Welchia was created to be a helpful worm rather than malware, it did have consequences that threatened system safety for the Navy and businesses alike.
- The only issue to occur due to the Welchia virus was a massive system slowdown due to the resource-intensive nature of the propagation technique used.
What is the Welchia Virus?
The Welchia worm, more commonly known as the Nachi worm, is among the most unique computer viruses as it was created to be helpful rather than harmful. On May 28, 2003, Microsoft released a patch to protect users from an exploit in WebDAV. However, it didn’t take long for cybersecurity researchers from Xfocus to reverse engineer the patch to allow for the worm to attack. Blaster was programmed to start an SYN flood against port 80 of windowsupdate.com to cause a distributed denial-of-service attack (DDoS). Blaster contained two messages. The first said ‘I just want to say LOVE YOU SAN!!’ The second said ‘billy gates why do you make this possible? Stop making money and fix your software!!’.
The Welchia worm exploits the Microsoft remote procedure call (RPC) service much like Blaster. However, the first task it performed was to search for and delete any instance of Blaster on the device. Then, it attempted to download and install security patches from Microsoft that would prevent Blaster from infecting Windows computers again. Welchia was incredibly successful in ridding the world of the Blaster worm, earning Welchia a reputation for being a helpful worm also called Nematodes after a species of worm that kills garden pests.
Microsoft claimed that Welchia wasn’t always successful in applying the security patch. Even if Welchia was intended to be helpful rather than malicious code, Microsoft saw the worm as a nuisance that undermined consumer confidence in Windows. Some security experts believed that Welchia was far too resource-intensive and stated that the cure is worse than the disease. Regardless, Welchia was designed to perform its task and then delete itself at the start of 2004.
Other names for the Welchia virus include:
- Nachi Worm
- Welchia Worm
How Does the Welchia Virus Work?
The Nachi worm was designed by ‘white hat’ hackers to get rid of another worm known as Blaster, which did contain malicious code. It worked by exploiting the behavior of the DCOM RPC in Microsoft’s Windows operating system. First, a machine being targeted received an ICMP echo request, more commonly called a PING, to see if the IP address is valid. Then, it either used a vulnerability in the DCOM RPC or exploited a separate vulnerability in WebDAV. Once a connection had been established, the attacking machine would create a remote shell on a random port between 666 and 765 to send instructions. In most cases, the 707 port was selected.
From there, the target machine would be instructed to download the worm through trivial file transfer protocol (TFTP) into the system folder subdirectory “Wins” as dllhost.exe and run it. The Nachi worm would then check the system folders for a file named tftpd.exe to ensure that, once the operation was complete, it could send a copy of itself to another computer. After the propagation process was ensured, Welchia moved on to end the MSBLAST process and deleted the MSBLAST.exe file. It checked the registry to see if the RPC vulnerability patch from Microsoft had been installed. If it hadn’t, it would download and install the patch to the computer. Once the entire process was complete, Welchia rebooted the computer to complete the installation.
To remove Blaster completed, the Nachi worm would begin to spread to other Windows computers by selecting IP addresses based on the IP address on the current system. Each IP address would be sent a PING to confirm if there was a machine to infect where the process would repeat. The Nachi worm deleted itself when the year changed to 2004.
Unintended Effects of the Nachi Worm
While Welchia was created to be a helpful worm rather than malware, it did have consequences that threatened system safety for the Navy and businesses alike. IT departments saw it as a huge issue for cybersecurity and gained headaches trying to form prevention protocols. The Nachi worm wasn’t malicious code, but it was incredibly resourced intensive. The infection, or propagation process, caused business servers and Navy servers to be stalled for long enough to be more than a nuisance. With some corporate tasks, the requirement for the server to shut down to complete the infection/installation interrupted important tasks and had unintended effects.
The two most notable unintended effects of the Nachi worm affected the Navy-Marine Corps and the State Department. The Navy intranet was hit hard by the worm as it had no means for prevention or safety if the symptoms of the worm caused a network shutdown, which it did. While it isn’t known how many of the systems were infected by the ‘white hat’ hacker malware worm designed to remove the Blaster worm, it is reported that it caused three-quarters of the Navy’s intranet capacity to be used during the propagation process which rendered the intranet virtually useless for some time.
The State Department network felt the effects even more. The department’s network was forced to shut down for nine hours due to resource usage and the detection of possible malware in the system. The State Department’s Consular Lookout and Support System (CLASS), which holds more than 12.8 million records from the FBI, State Department, U.S. immigration, drug-enforcement, and intelligence agencies were put to a dead stop. As the Nachi worm was detected as a computer virus, the U.S. visa system was forced to place thousands of visa candidates in a state of limbo as the State Department had no safety net in the form of a backup system to handle the issue.
Government representatives never explicitly stated what malicious program had infected their systems. However, there was a message sent to American embassies and consular offices that stated the Welchia virus had been found at one facility. Due to the pertinent need for data safety, the State Department shut down the overall system to isolate and remove the worm.
Symptoms of a Welchia Virus Infection
As the Nachi worm was not created with malicious code, there aren’t a slew of symptoms it caused. The only issue to occur due to the Welchia virus was a massive system slowdown due to the resource-intensive nature of the propagation technique used. It also caused machines to restart once the process of installing Microsoft security updates and patches was completed.
How to Get Rid of the Welchia Virus
The Welchia virus was encoded with instructions to remove itself at the onset of 2004, assuming that by the beginning of that year all instances of the Blaster worm would be eradicated. It completed its job even though it may have upset some business owners, the Navy, and the State Department while doing so. No hacker has repurposed or attempted to recreate the Welchia virus since. In some cases, Antivirus programmers have taken the code to be used for cybersecurity purposes.
The Best Antivirus Software for the Welchia Virus
The Welchia virus was designed as what could be called an ‘antivirus’ virus. It had one specific purpose with coded instructions to remove itself at the start of 2004. Today, any form of antivirus, Windows Defender, or firewall could prevent the worm from proliferating across systems. As its purpose has been fulfilled, there is no need to worry about the prevention or need to get rid of the Nachi worm.
Antiviruses to Consider:
- Rated #1 by PC Mag for 2023
- Compatible with Windows (8.0, 8.1, 10, and 11), Mac (macOS X Yosemite 10.10 and later), iOS (11.2 and later), and Android (5.0 and later)
- Dedicated browser secures your online transactions
- Advanced features like web protection tools, parental controls, file shredder, firewall, VPN, and anti-tracker
- Will not automatically renew
- PROTECTS YOUR DEVICES ON MULTIPLE PLATFORMS: Compatible with Windows, Mac, Android devices.
- UNMATCHED THREAT DETECTION: We found malware on 29 percent of devices that already had a third-party antivirus installed. That’s the power of our innovative technology. We block sophisticated...
- INCREDIBLY EASY TO USE: Our simple user interface enables you to fully control your protection to meet your needs without requiring technical expertise. You can schedule scans, adjust protection...
- ADVANCED MALWARE, RANSOMWARE PROTECTION: Helps protect you from websites that download ransomware, steal login credentials, or run scams. Reduces your exposure to hackers and cyberthreats while...
- PROACTIVE EXPLOIT, AND VIRUS PROTECTION: Protection from the financial and reputational risk posed by a ransomware attack. Shields your device and data from vulnerable and unpatched software until it...
- POWERFUL, LIGHTNING-FAST ANTIVIRUS: Protects your computer from viruses and malware through the cloud; Webroot scans faster, uses fewer system resources and safeguards your devices in real-time by...
- IDENTITY THEFT PROTECTION: Protects your usernames, account numbers and other personal information against keyloggers, spyware and other online threats targeting valuable personal data
- REAL-TIME ANTI-PHISHING: Proactively scans websites, emails and other communications and warns you of potential danger before you click to effectively stop malicious attempts to steal your personal...
- ALWAYS UP TO DATE: Webroot scours 95% of the Internet three times per day including billions of web pages, files and apps to determine what is safe online and enhances the software automatically...
- Protects you against all types of malware, including viruses, ransomware, rootkits, worms and spyware.
- Simple reliable protection. Protects your private data from ransomware and phishing with easy-to-use internet security.
- Light footprint & won't slow you down. Enjoy the full power of your computer. Play, work and browse the internet without slowdowns.
- MCAFEE TOTAL PROTECTION IS ALL-IN-ONE PROTECTION – antivirus, security, identity, and privacy protection for 5 devices for 1 year
- SECURE VPN – Stay private and secure on public Wi-Fi with VPN that can connect automatically when you need it
- MONITOR UP TO 10 EMAILS ON THE DARK WEB - If your info is found we'll notify you so you can act before your info ends up in the wrong hands
- CHECK THE HEALTH OF YOUR ONLINE PROTECTION – our industry-first Protection Score will identify weak spots and guide you to improve your security
- PASSWORD MANAGER - Secure your accounts by generating and storing complex passwords and auto-filling your info for faster logins across devices
- Download and install instantly
- Real-time protection from malware
- Safely and securely store your passwords with password manager
- Firewall blocks unauthorized traffic
- 2GB of PC Cloud backup
Are you interested in learning about other computer viruses? Check out our complete guide!
- The Top 5 Antivirus Programs: Which One is the Best? If you’re worried about cyberthreats, check out our guide to the best antivirus software to keep you safe while browsing the internet.
- What’s the Next Big Thing in Technology? It’s fun to dream about what the next great technological advancement will be. We’ve done some research to fill you in.
- A Guide To Today’s Top Dating Apps: Which Are Best? So you’re single and dreaming of finding “the one?” Check out our list of the best dating apps to help you find Mr. (or Ms.) Right!
The image featured at the top of this post is ©Mega Pixel/Shutterstock.com.