The Welchia Virus: How it Works and How to Protect Yourself

Key Points:

• Welchia was successful in ridding the world of the Blaster worm, earning it a reputation for being a helpful worm, also called Nematodes after a species of worm that kills garden pests.
• While Welchia was created to be a helpful worm rather than malware, it did have consequences that threatened system safety for the Navy and businesses alike.
• The only issue to occur due to the Welchia virus was a massive system slowdown due to the resource-intensive nature of the propagation technique used.

What is the Welchia Virus?

The Welchia worm, more commonly known as the Nachi worm, is among the most unique computer viruses as it was created to be helpful rather than harmful. On May 28, 2003, Microsoft released a patch to protect users from an exploit in WebDAV. However, it didn’t take long for cybersecurity researchers from Xfocus to reverse engineer the patch to allow for the worm to attack. Blaster was programmed to start an SYN flood against port 80 of windowsupdate.com to cause a distributed denial-of-service attack (DDoS). Blaster contained two messages. The first said ‘I just want to say LOVE YOU SAN!!’ The second said ‘billy gates why do you make this possible? Stop making money and fix your software!!’.

The Welchia worm exploits the Microsoft remote procedure call (RPC) service much like Blaster. However, the first task it performed was to search for and delete any instance of Blaster on the device. Then, it attempted to download and install security patches from Microsoft that would prevent Blaster from infecting Windows computers again. Welchia was incredibly successful in ridding the world of the Blaster worm, earning Welchia a reputation for being a helpful worm also called Nematodes after a species of worm that kills garden pests.

Microsoft claimed that Welchia wasn’t always successful in applying the security patch. Even if Welchia was intended to be helpful rather than malicious code, Microsoft saw the worm as a nuisance that undermined consumer confidence in Windows. Some security experts believed that Welchia was far too resource-intensive and stated that the cure is worse than the disease. Regardless, Welchia was designed to perform its task and then delete itself at the start of 2004.

Other names for the Welchia virus include:

• MSBLAST.D
• Nachi Worm
• Welchia Worm
• Worm.Blaster.D
• Win32.HLLW.LoveSan.2
• Net-Worm.Win32.Welchia.a
• W32/Nachi.worm.a
• W32/Nachi-A
• W32.Welchia.Worm
• WORM_NACHI.A

How Does the Welchia Virus Work?

The Nachi worm was designed by ‘white hat’ hackers to get rid of another worm known as Blaster, which did contain malicious code. It worked by exploiting the behavior of the DCOM RPC in Microsoft’s Windows operating system. First, a machine being targeted received an ICMP echo request, more commonly called a PING, to see if the IP address is valid. Then, it either used a vulnerability in the DCOM RPC or exploited a separate vulnerability in WebDAV. Once a connection had been established, the attacking machine would create a remote shell on a random port between 666 and 765 to send instructions. In most cases, the 707 port was selected.

From there, the target machine would be instructed to download the worm through trivial file transfer protocol (TFTP) into the system folder subdirectory “Wins” as dllhost.exe and run it. The Nachi worm would then check the system folders for a file named tftpd.exe to ensure that, once the operation was complete, it could send a copy of itself to another computer. After the propagation process was ensured, Welchia moved on to end the MSBLAST process and deleted the MSBLAST.exe file. It checked the registry to see if the RPC vulnerability patch from Microsoft had been installed. If it hadn’t, it would download and install the patch to the computer. Once the entire process was complete, Welchia rebooted the computer to complete the installation.

To remove Blaster completed, the Nachi worm would begin to spread to other Windows computers by selecting IP addresses based on the IP address on the current system. Each IP address would be sent a PING to confirm if there was a machine to infect where the process would repeat. The Nachi worm deleted itself when the year changed to 2004.

Unintended Effects of the Nachi Worm

While Welchia was created to be a helpful worm rather than malware, it did have consequences that threatened system safety for the Navy and businesses alike. IT departments saw it as a huge issue for cybersecurity and gained headaches trying to form prevention protocols. The Nachi worm wasn’t malicious code, but it was incredibly resourced intensive. The infection, or propagation process, caused business servers and Navy servers to be stalled for long enough to be more than a nuisance. With some corporate tasks, the requirement for the server to shut down to complete the infection/installation interrupted important tasks and had unintended effects.

The two most notable unintended effects of the Nachi worm affected the Navy-Marine Corps and the State Department. The Navy intranet was hit hard by the worm as it had no means for prevention or safety if the symptoms of the worm caused a network shutdown, which it did. While it isn’t known how many of the systems were infected by the ‘white hat’ hacker malware worm designed to remove the Blaster worm, it is reported that it caused three-quarters of the Navy’s intranet capacity to be used during the propagation process which rendered the intranet virtually useless for some time.

The State Department network felt the effects even more. The department’s network was forced to shut down for nine hours due to resource usage and the detection of possible malware in the system. The State Department’s Consular Lookout and Support System (CLASS), which holds more than 12.8 million records from the FBI, State Department, U.S. immigration, drug-enforcement, and intelligence agencies were put to a dead stop. As the Nachi worm was detected as a computer virus, the U.S. visa system was forced to place thousands of visa candidates in a state of limbo as the State Department had no safety net in the form of a backup system to handle the issue.

Government representatives never explicitly stated what malicious program had infected their systems. However, there was a message sent to American embassies and consular offices that stated the Welchia virus had been found at one facility. Due to the pertinent need for data safety, the State Department shut down the overall system to isolate and remove the worm.

Symptoms of a Welchia Virus Infection

As the Nachi worm was not created with malicious code, there aren’t a slew of symptoms it caused. The only issue to occur due to the Welchia virus was a massive system slowdown due to the resource-intensive nature of the propagation technique used. It also caused machines to restart once the process of installing Microsoft security updates and patches was completed.

How to Get Rid of the Welchia Virus

The Welchia virus was encoded with instructions to remove itself at the onset of 2004, assuming that by the beginning of that year all instances of the Blaster worm would be eradicated. It completed its job even though it may have upset some business owners, the Navy, and the State Department while doing so. No hacker has repurposed or attempted to recreate the Welchia virus since. In some cases, Antivirus programmers have taken the code to be used for cybersecurity purposes.

The Best Antivirus Software for the Welchia Virus

The Welchia virus was designed as what could be called an ‘antivirus’ virus. It had one specific purpose with coded instructions to remove itself at the start of 2004. Today, any form of antivirus, Windows Defender, or firewall could prevent the worm from proliferating across systems. As its purpose has been fulfilled, there is no need to worry about the prevention or need to get rid of the Nachi worm.

Antiviruses to Consider:

• Bitdefender
• Malwarebytes
• Webroot
• Eset NOD32
• McAfee
• Norton Antivirus

Great Features

Bitdefender Total Security 2023 – Complete Antivirus and Internet Security Suite – 5 Devices | 2 year Subscription | PC/Mac | Activation Code by Mail

$39.99

• Rated #1 by PC Mag for 2023
• Compatible with Windows (8.0, 8.1, 10, and 11), Mac (macOS X Yosemite 10.10 and later), iOS (11.2 and later), and Android (5.0 and later)
• Dedicated browser secures your online transactions
• Advanced features like web protection tools, parental controls, file shredder, firewall, VPN, and anti-tracker
• Will not automatically renew

Buy on Amazon

We earn a commission if you make a purchase, at no additional cost to you.

09/25/2023 06:25 am GMT

Malwarebytes Premium 4.5 Latest Version 2022 Antivirus Software | 5 Device 1 Year (PC, Mac, Android) [software_key_card]

$44.99

• PROTECTS YOUR DEVICES ON MULTIPLE PLATFORMS: Compatible with Windows, Mac, Android devices.
• UNMATCHED THREAT DETECTION: We found malware on 29 percent of devices that already had a third-party antivirus installed. That’s the power of our innovative technology. We block sophisticated...
• INCREDIBLY EASY TO USE: Our simple user interface enables you to fully control your protection to meet your needs without requiring technical expertise. You can schedule scans, adjust protection...
• ADVANCED MALWARE, RANSOMWARE PROTECTION: Helps protect you from websites that download ransomware, steal login credentials, or run scams. Reduces your exposure to hackers and cyberthreats while...
• PROACTIVE EXPLOIT, AND VIRUS PROTECTION: Protection from the financial and reputational risk posed by a ransomware attack. Shields your device and data from vulnerable and unpatched software until it...

Buy on Amazon

We earn a commission if you make a purchase, at no additional cost to you.

09/25/2023 12:03 pm GMT

Webroot Antivirus Software 2023 | 3 Device | 1 Year Download for PC/Mac

$14.98

• POWERFUL, LIGHTNING-FAST ANTIVIRUS: Protects your computer from viruses and malware through the cloud; Webroot scans faster, uses fewer system resources and safeguards your devices in real-time by...
• IDENTITY THEFT PROTECTION: Protects your usernames, account numbers and other personal information against keyloggers, spyware and other online threats targeting valuable personal data
• REAL-TIME ANTI-PHISHING: Proactively scans websites, emails and other communications and warns you of potential danger before you click to effectively stop malicious attempts to steal your personal...
• ALWAYS UP TO DATE: Webroot scours 95% of the Internet three times per day including billions of web pages, files and apps to determine what is safe online and enhances the software automatically...

Buy on Amazon

We earn a commission if you make a purchase, at no additional cost to you.

09/25/2023 10:09 pm GMT

ESET NOD32 Antivirus | 2023 Edition | 1 Device | 1 Year | Antivirus Software | Gamer Mode | Small System Footprint | Official Download with License

$39.99

• Protect your privacy: Your sensitive data, online payments, passwords, smart home, webcam and your children... all that and more is secured with ESET Internet Security.
• Multi-platform protection: Secure all your devices with a single license. No matter if you run on a Mac, Windows, Android or Linux - we got you covered!. .
• Banking and privacy secured: Prevent unauthorized access to your computer and misuse of your data. Stay safe while making online payments and accessing e-wallets.
• Protect your IoT and webcam: Test your home router and smart devices for vulnerabilities. See and block any unexpected access to your webcam.. .
• Legendary antivirus technology: Protect yourself from ransomware and other types of malware with ESET's time-proven multilayered protection, trusted by over 110 million users worldwide.

Buy on Amazon

We earn a commission if you make a purchase, at no additional cost to you.

09/25/2023 06:39 am GMT

McAfee Total Protection 2022 | 5 Device | Antivirus Internet Security Software | VPN, Password Manager, Dark Web Monitoring | 1 Year Subscription | Download Code

$29.99

• AWARD WINNING ANTIVIRUS: Rest easy knowing McAfee’s protecting you from the latest threats
• PROTECT YOUR IDENTITY:  We'll monitor your life online, from bank account numbers, credit cards, to your emails and more.
• BROWSE CONFIDENTLY AND PRIVATELY: Secure VPN keeps your info safe from prying eyes
• SEE HOW SAFE YOU ARE BEING ONLINE: Get your personalized protection score, identify weaknesses and get help to fix them.
• BANK, SHOP and CONNECT WORRY-FREE: be warned about risky websites before you click

Buy on Amazon

We earn a commission if you make a purchase, at no additional cost to you.

09/25/2023 12:33 pm GMT

Excellent Customization Options

Norton AntiVirus Plus, 2023, Antivirus software for 1 Device with Auto-Renewal [Download]

$14.99

• Download and install instantly
• Real-time protection from malware
• Safely and securely store your passwords with password manager
• Firewall blocks unauthorized traffic
• 2GB of PC Cloud backup

Buy Now on Amazon

We earn a commission if you make a purchase, at no additional cost to you.

09/25/2023 03:39 am GMT

Are you interested in learning about other computer viruses? Check out our complete guide!

Up Next…

• The Top 5 Antivirus Programs: Which One is the Best? If you’re worried about cyberthreats, check out our guide to the best antivirus software to keep you safe while browsing the internet.
• What’s the Next Big Thing in Technology? It’s fun to dream about what the next great technological advancement will be. We’ve done some research to fill you in.
• A Guide To Today’s Top Dating Apps: Which Are Best? So you’re single and dreaming of finding “the one?” Check out our list of the best dating apps to help you find Mr. (or Ms.) Right!

The image featured at the top of this post is ©Mega Pixel/Shutterstock.com.