What is the Welchia Virus?
The Welchia worm, more commonly known as the Nachi worm, is among the most unique computer viruses as it was created to be helpful rather than harmful. On May 28, 2003, Microsoft released a patch to protect users from an exploit in WebDAV. However, it didn’t take long for cybersecurity researchers from Xfocus to reverse engineer the patch to allow for the worm to attack. Blaster was programmed to start an SYN flood against port 80 of windowsupdate.com to cause a distributed denial-of-service attack (DDoS). Blaster contained two messages. The first said ‘I just want to say LOVE YOU SAN!!’ The second said ‘billy gates why do you make this possible? Stop making money and fix your software!!’.
The Welchia worm exploits the Microsoft remote procedure call (RPC) service much like Blaster. However, the first task it performed was to search for and delete any instance of Blaster on the device. Then, it attempted to download and install security patches from Microsoft that would prevent Blaster from infecting Windows computers again. Welchia was incredibly successful in ridding the world of the Blaster worm, earning Welchia a reputation for being a helpful worm also called Nematodes after a species of worm that kills garden pests.
Microsoft claimed that Welchia wasn’t always successful in applying the security patch. Even if Welchia was intended to be helpful rather than malicious code, Microsoft saw the worm as a nuisance that undermined consumer confidence in Windows. Some security experts believed that Welchia was far too resource-intensive and stated that the cure is worse than the disease. Regardless, Welchia was designed to perform its task and then delete itself at the start of 2004.
Other names for the Welchia virus include:
- Nachi Worm
- Welchia Worm
How Does the Welchia Virus Work?
The Nachi worm was designed by ‘white hat’ hackers to get rid of another worm known as Blaster, which did contain malicious code. It worked by exploiting the behavior of the DCOM RPC in Microsoft’s Windows operating system. First, a machine being targeted received an ICMP echo request, more commonly called a PING, to see if the IP address is valid. Then, it either used a vulnerability in the DCOM RPC or exploited a separate vulnerability in WebDAV. Once a connection had been established, the attacking machine would create a remote shell on a random port between 666 and 765 to send instructions. In most cases, the 707 port was selected.
From there, the target machine would be instructed to download the worm through trivial file transfer protocol (TFTP) into the system folder subdirectory “Wins” as dllhost.exe and run it. The Nachi worm would then check the system folders for a file named tftpd.exe to ensure that, once the operation was complete, it could send a copy of itself to another computer. After the propagation process was ensured, Welchia moved on to end the MSBLAST process and deleted the MSBLAST.exe file. It checked the registry to see if the RPC vulnerability patch from Microsoft had been installed. If it hadn’t, it would download and install the patch to the computer. Once the entire process was complete, Welchia rebooted the computer to complete the installation.
To remove Blaster completed, the Nachi worm would begin to spread to other Windows computers by selecting IP addresses based on the IP address on the current system. Each IP address would be sent a PING to confirm if there was a machine to infect where the process would repeat. The Nachi worm deleted itself when the year changed to 2004.
Unintended Effects of the Nachi Worm
While Welchia was created to be a helpful worm rather than malware, it did have consequences that threatened system safety for the Navy and businesses alike. IT departments saw it as a huge issue for cybersecurity and gained headaches trying to form prevention protocols. The Nachi worm wasn’t malicious code, but it was incredibly resourced intensive. The infection, or propagation process, caused business servers and Navy servers to be stalled for long enough to be more than a nuisance. With some corporate tasks, the requirement for the server to shut down to complete the infection/installation interrupted important tasks and had unintended effects.
The two most notable unintended effects of the Nachi worm affected the Navy-Marine Corps and the State Department. The Navy intranet was hit hard by the worm as it had no means for prevention or safety if the symptoms of the worm caused a network shutdown, which it did. While it isn’t known how many of the systems were infected by the ‘white hat’ hacker malware worm designed to remove the Blaster worm, it is reported that it caused three-quarters of the Navy’s intranet capacity to be used during the propagation process which rendered the intranet virtually useless for some time.
The State Department network felt the effects even more. The department’s network was forced to shut down for nine hours due to resource usage and the detection of possible malware in the system. The State Department’s Consular Lookout and Support System (CLASS), which holds more than 12.8 million records from the FBI, State Department, U.S. immigration, drug-enforcement, and intelligence agencies were put to a dead stop. As the Nachi worm was detected as a computer virus, the U.S. visa system was forced to place thousands of visa candidates in a state of limbo as the State Department had no safety net in the form of a backup system to handle the issue.
Government representatives never explicitly stated what malicious program had infected their systems. However, there was a message sent to American embassies and consular offices that stated the Welchia virus had been found at one facility. Due to the pertinent need for data safety, the State Department shut down the overall system to isolate and remove the worm.
Symptoms of a Welchia Virus Infection
As the Nachi worm was not created with malicious code, there aren’t a slew of symptoms it caused. The only issue to occur due to the Welchia virus was a massive system slowdown due to the resource-intensive nature of the propagation technique used. It also caused machines to restart once the process of installing Microsoft security updates and patches was completed.
How to Get Rid of the Welchia Virus
The Welchia virus was encoded with instructions to remove itself at the onset of 2004, assuming that by the beginning of that year all instances of the Blaster worm would be eradicated. It completed its job even though it may have upset some business owners, the Navy, and the State Department while doing so. No hacker has repurposed or attempted to recreate the Welchia virus since. In some cases, Antivirus programmers have taken the code to be used for cybersecurity purposes.
The Best Antivirus Software for the Welchia Virus
The Welchia virus was designed as what could be called an ‘antivirus’ virus. It had one specific purpose with coded instructions to remove itself at the start of 2004. Today, any form of antivirus, Windows Defender, or firewall could prevent the worm from proliferating across systems. As its purpose has been fulfilled, there is no need to worry about the prevention or need to get rid of the Nachi worm.
Antiviruses to Consider:
- SPEED-OPTIMIZED, CROSS-PLATFORM PROTECTION: World-class antivirus security and cyber protection for Windows (Windows 8, Windows 8.1, Windows 10, and Windows 11), Mac OS (macOS X Yosemite 10.10 or later), iOS (11.2 or later), and Android (5.0 or later). Organize and keep your digital life safe from hackers
- SAFE ONLINE BANKING: A unique, dedicated browser secures your online transactions; Our Total Security product also includes 200MB per day of our new and improved Bitdefender VPN
- ADVANCED THREAT DEFENSE: Real-Time Data Protection, Multi-Layer Malware and Ransomware Protection, Social Network Protection, Game/Movie/Work Modes, Microphone Monitor, Webcam Protection, Anti-Tracker, Phishing, Fraud, and Spam Protection, File Shredder, Parental Controls, and more
- NO CREDIT CARD REQUIRED: Subscription does not automatically renew (unless your account was previously set up to do so)
- ECO-FRIENDLY PACKAGING: Your product-specific code is printed on a card and shipped inside a protective cardboard sleeve. Simply open packaging and scratch off security ink on the card to reveal your activation code. No more bulky box or hard-to-recycle discs
- PROTECTS YOUR DEVICES ON MULTIPLE PLATFORMS: Compatible with Windows, Mac, Android devices.
- UNMATCHED THREAT DETECTION: We found malware on 29 percent of devices that already had a third-party antivirus installed. That’s the power of our innovative technology. We block sophisticated cyberthreats that other programs miss, providing an effective way to secure your devices and data.
- INCREDIBLY EASY TO USE: Our simple user interface enables you to fully control your protection to meet your needs without requiring technical expertise. You can schedule scans, adjust protection layers, and choose your desired scan mode. Protecting your devices shouldn’t be complicated.
- ADVANCED MALWARE, RANSOMWARE PROTECTION: Helps protect you from websites that download ransomware, steal login credentials, or run scams. Reduces your exposure to hackers and cyberthreats while protecting your devices and data.
- PROACTIVE EXPLOIT, AND VIRUS PROTECTION: Protection from the financial and reputational risk posed by a ransomware attack. Shields your device and data from vulnerable and unpatched software until it can be updated. Malwarebytes finds more threats compared to traditional antivirus programs so you can restore your device quickly to its pre-infection state.
- POWERFUL, LIGHTNING-FAST ANTIVIRUS: Protects your computer from viruses and malware through the cloud; Webroot scans faster, uses fewer system resources and safeguards your devices in real-time by identifying and blocking new threats
- IDENTITY THEFT PROTECTION: Protects your usernames, account numbers and other personal information against keyloggers, spyware and other online threats targeting valuable personal data
- REAL-TIME ANTI-PHISHING: Proactively scans websites, emails and other communications and warns you of potential danger before you click to effectively stop malicious attempts to steal your personal information
- ALWAYS UP TO DATE: Webroot scours 95% of the Internet three times per day including billions of web pages, files and apps to determine what is safe online and enhances the software automatically without time-consuming updates
- Protects you against all types of malware, including viruses, ransomware, rootkits, worms and spyware.
- Simple reliable protection. Protects your private data from ransomware and phishing with easy-to-use internet security.
- Light footprint & won't slow you down. Enjoy the full power of your computer. Play, work and browse the internet without slowdowns.
- English (Playback Language)
- English (Subtitle)
- AWARD WINNING ANTIVIRUS: Rest easy knowing McAfee’s protecting you from the latest threats
- PROTECT YOUR IDENTITY: We'll monitor your life online, from bank account numbers, credit cards, to your emails and more.
- BROWSE CONFIDENTLY AND PRIVATELY: Secure VPN keeps your info safe from prying eyes
- SEE HOW SAFE YOU ARE BEING ONLINE: Get your personalized protection score, identify weaknesses and get help to fix them.
- BANK, SHOP and CONNECT WORRY-FREE: be warned about risky websites before you click
- ONGOING PROTECTION Download instantly & install protection for your PC or Mac in minutes!
- REAL-TIME THREAT PROTECTION Advanced security protects against existing and emerging malware threats, including ransomware and viruses, and it won’t slow down your device performance
- PASSWORD MANAGER Easily create, store, and manage your passwords, credit card information and other credentials online – safely and securely
- SMART FIREWALL Monitors communications between your computer and other computers and blocks unauthorized traffic, helping protect your personal files and financial information
- 2GB SECURE PC CLOUD BACKUP store and help protect important files as a preventative measure to hard drive failures, stolen devices and even ransomware***
Are you interested in learning about other computer viruses? Check out our complete guide!
Last update on 2022-11-21 / Affiliate links / Images from Amazon Product Advertising API