How to Uninstall the Welchia Worm
Also known as the "Nachia worm," the Welchia worm infects computers through network connections. The virus can attack a single computer system or entire networks of computers. This virus is very similar to the MSBlast worm. The Welchia worm exploits the DCOM RPC security vulnerability that is unique to Windows. Although this vulnerability can easily be patched, many computers do not have the patch installed. Read on to learn what to do if your computer is infected by the Welchia worm.
- Difficulty:
- Moderately Easy
Instructions
-
Uninstall the Welchia Worm
-
1
Disconnect your computer from the Internet and any local area network. Click the Start button located at the bottom-left corner of the desktop. When the Start menu opens, click "Run." Type "cmd" in the text field and click "OK." This will open the "Command Prompt."
-
2
Type the following command into the Command Prompt: NET STOP "Network Connections Sharing." Press the Enter key. This will display a message saying that the service has been stopped.
-
3
Type in the following command: NET STOP "WINS Client." Hit the Enter key. Once you have done this, close the Command Prompt.
-
4
Edit your system registry. Click on the Start button. In the Start menu, click "Run." Type "regedit" in the text field and click "OK." This will open the Registry Editor. Use the plus signs to navigate to the following registry entry: HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Services. Look in the left panel and delete the following subkeys:*RpcPatch *RpcTftpdClose your Registry Editor.
Delete All Potentially Infected Files
-
1
Turn off System Restore before doing this. (See Resources below for how to turn System Restore on and off.) This will ensure that the deleted files won’t be restored.
-
2
Click on the Start button and click "Search." Locate the following files and delete them: *svchost.exe*dllhost.exe
-
3
Empty the Recycle Bin after you do this. The Recycle Bin is typically on your desktop.
-
4
Restart your computer and reconnect the Local Area Connection and other Internet connections.
-
1
Tips & Warnings
Taking advantage of the DCOM RPC Vulnerability, the Welchia worm then uses Trivial File Transfer Protocol to download its files into the computer. The worm then uses the WebDAV exploit to transport itself from system to system.
If you haven’t been infected with the Welchia worm, you may want to download and install the following patches: Welchia patch and WebDAV Exploit patch (See Resources Below).
