First noticed on August 18, 2003. By February 26, 2004, Symantec Security Response downgraded this worm threat to a Category 2 from a Category 3. The Welchia worm exploited a number of vulnerabilities, including the DCOM RPC using TCP port 135 and the WebDav vulnerability using TCP port 80. The Welchia worm tried to retrieve the DCOM RPC patch from Microsoft’s patch and update server, install it, and then restart the computer. The worm also looked for active machines to infect by sending an ICMP echo request (Ping), resulting in increased ICMP traffic. After doing all this, the worm also tried to remove itself—thus giving it the affectionate handle of “do-gooder.”
Perriot, F. and Knowles, D. W32.Welchia.Worm. [Online, July 28, 2004.] Symantec Security Response Website. http://securityresponse.symantec.com/avcenter/venc/ data/w32.welchia.worm.html.