VIRUS ANALYSIS 1 THE WORMPIRE STRIKES BACK

摘要

It took less than six months before W32/Welchia (see VB, October 2003, p.10) returned to plague us. The new version has been upgraded to attack different worms and exploit more vulnerabilities. Once again, the author of the worm intended to make a 'good' worm, disregarding the master's warning: 'A Jedi uses the Force for knowledge and defence, never for attack.' When Welchia.B first runs on a machine, it checks for the presence of a mutcx called 'WksPatch_Mutex', and aborts if the mutex already exists, in order to avoid running multiple instances of itself. After creating its mutex, the worm attempts to open a service called 'WksPatch' and query its status. If this service is set to start automatically, then the worm attempts to delete a file called 'svchost.exe' and start the service. Otherwise, the worm copies itself to the '%system%drivers' directory as 'svchost.exe', and creates a service called 'WksPatch', using a random display name.