W32.Welchia.Worm (and variants)

August 18, 2003

A new worm W32.Welchia.Worm is spreading rapidly around the world and may be present on computers at Virginia Tech. The code can infect Windows 2000 and Windows XP. Users are strongly encouraged to run Live Update to get the latest virus definitions and scan for the worm. Users are also strongly encouraged to visit http://windowsupdate.microsoft.com/ to install any critical updates needed on your computer.

Infection Methods

W32.Welchia.Worm is a worm that will exploit the following vulnerabilities:

This worm will attempt to:

  • Delete the msblast.exe file if present.
  • Download the RPC patch from Windows Update, install it, and reboot.
  • Checks for active machines by sending out pings, resulting in increased network traffic.
  • Installs a TFTP server.

Since this is a worm, it does not travel via e-mail and campus-wide security measures are not effective in preventing infection from this threat.

Removal Tools

Recommended: Download the automatic removal tool for the Welchia Worm.


You can find removal information for this worm at: http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

More information on this worm can be found at the following site:
http://www.sarc.com/avcenter/venc/data/w32.welchia.worm.html