How to Remove Welchia worm
or MSBLAST.D worm virus

What is the Welchia worm aka MSBlast.D, LoveSan.D or Nachia?
The Welchia (MSBLAST.D or Nachi) worm infects machines via network connections. It can attack entire networks of computers or one single computer connected to the Internet. Similar to the original MSBlast worm it exploits a known windows vulnerability that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and Windows XP machines and exploits the DCOM RPC Vulnerablity.  It uses TFTP (Trivial File Transfer Protocol) to download its files into a system. It also exploits one more vulnerability known as the WebDAV exploit to travel from system to system.

Ironically, this worm attempts to patch the RPC DCOM Buffer Overflow. It first checks for the running Windows version and then downloads a patch from Microsoft. In essence this worm patches your computer against the MSBlast.A worm.   When the current system year is 2004, the worm removes itself from the system.

Download the Windows patches for these vulnerabilities by clicking on the links below:

Windows XP: DCOM/RPC Exploit patch

Windows 2000: DCOM/RPC Exploit patch

Windows XP: WebDAV Exploit patch (IIS Remote Exploit from ntdll.dll)

Windows 2000: WebDAV Exploit patch (IIS Remote Exploit from ntdll.dll)

What are the DCOM Vulnerability and WebDAV Exploits?

The DCOM vulnerability in Windows 2000 and XP can allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. The worm causes a buffer overrun in the Remote Procedure Call (RPC) service. When this service is terminated the virus infects the machine and then tries to infect other machines.

The WebDAV exploit is a security issue identified in Microsoft® Windows XP, 2000, and NT running IIS 5.0 that could allow an attacker to take control of your computer. This issue is most likely to affect computers used as Web servers.

How Does the Welchia Worm Infect My Computer?

  1. Copies itself to the Wins directory in the System or System32 folder in Windows usually

    C:\Windows\System32\Wins\Dllhost.exe for Windows XP or

    C:\WinNT\System32\Wins\Dllhost.exe for Windows NT/2000

    There is a legitimate file called Dllhost.exe (about 5-6K) in the System32 directory.
  2. Makes a copy of the TFTP server (TFTPD.exe) from the Dllcache directory to the following directories.

    C:\Windows\System32\Wins\svchost.exe for Windows XP or
    C:\WinNT\System32\Wins\svchost.exe for Windows NT/2000

    NOTE: Svchost.exe is a legitimate program, which is not malicious, found in the System32 directory

  3. Creates the following services:

    Service Name: RpcTftpd
    Display Name: Network Connections Sharing
    File: %System%\wins\svchost.exe

    This service will be set to start manually.

    Service Name: RpcPatch
    Display Name: WINS Client
    File: %System%\wins\dllhost.exe

    This service will be set to start automatically.

  4. Ends the process, MSBLAST, and delete the file %System%\msblast.exe which is dropped by the worm, MSBlast.A. First, it checks the operating system version, then it downloads the appropriate patch from the designated Microsoft Web site. After executing the patch, it reboots the system.

    Some of the patches it downloads into the system are as follows:


    The downloaded patch has the file name, RpcServicePack.exe. This worm deletes this file after it is run.

    Before downloading or installing the patch on the system, this worm first checks if the system has been previously patched by checking for specific registry keys to make sure the patch hasnt been installed.

    The worm travels through a computer network or local area network looking for unpatched and vulnerable machines. The worm will use a ping to determine if the active machine is on a network.Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability.

    Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions.

    Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe.

How Can I Remove the Welchia or MSBLAST.D worm?

Follow these steps in removing the Welchia or MSBLAST.D worm.

1) Disconnect your computer from the local area network or Internet

2) Terminate the running program

  • Open a command prompt window. Click Start>Run, type CMD and then press the Enter key.
  • At the command prompt, type the following:
    NET STOP "Network Connections Sharing"
  • Press the Enter key. A message should indicate that the service has been stopped successfully.
  • Do the same to stop the following service:
    NET STOP "WINS Client"
  • Close the command prompt window.

3) Remove the Registry Entries

  • Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
  • In the left panel, double-click the following:
  • In the left panel, delete the subkeys:
  • Close Registry Editor.

3) Install the patches for the DCOM RPC Exploit or WebDAV exploit, you can download the patches from the links below before disconnecting

DCOM RPC Exploit

Windows XP Pro/Home Edition

Windows 2000

WebDAV Exploit

Windows XP

Windows 2000

4) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)

  • Click Start, point to Find or Search, and then click Files or Folders.
  • Make sure that "Look in" is set to (C:\WINDOWS).
  • In the "Named" or "Search for..." box, type, or copy and paste, the file names:

  • Click Find Now or Search Now.
  • Delete the svchost.exe file in the c:\windows\system32\wins directory
    Delete the dllhost.exe file in the c:\windows\system32\wins directory
  • Empty the Recycle bin.

5) Reboot the computer, reconnect the network, and update your antivirus software, and run a thorough virus scan using your favorite antivirus program.

This worm is similar to the MSBlaster worm, you can find more information about MSBLAST.A by visiting this page


space.gif (58 bytes)


site search by freefind advanced


Tools for Removing Spyware, Adware, and Malware

Other Pages

Spyware/Adware Removal Help

MSBlast.exe Worm Removal

Welchia (Dllhost.exe and SVCHost.exe) Worm Removal

Uninstall McAfee Instructions

Uninstall Norton Instructions

Uninstall Avast Instructions

Uninstall AVG Instructions

Uninstall Antivir Instructions

Uninstall Panda Instructions

How to Manually Run the Microsoft Malicious Software Removal Tool

Bloodhound.Exploit.6 Virus Removal

MyDoom Virus Removal

MiMail.C Virus Removal

Swen Worm Virus Removal

SoBig.F Worm Removal

Dumaru Virus Removal

BugBear.B Worm Removal

SoBig.E Worm Removal

Pop Up Ad Removal Info

KAK Worm Removal

MiMail.A Worm Removal

W95.MTX Virus Removal

Snow White Virus Removal

BadTrans Trojan Removal

Wininit Virus (Bymer Trojan)

Happy99 Worm Removal

VBS Netlog Worm Removal

Pretty Park Worm Removal

Sasser Worm Virus Removal

Backdoor SDBot.H Trojan Removal

VBS.Loveletter Help

Computer Security Information

Back Orifice Information

PC HELL Main Page


iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad

Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.

Written by Mark Hasting

Recommended Software for PC Hell Visitors
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
iolo System Mechanic® - Fix, Speed Up Your PC
iolo System Mechanic®
Emsisoft Anti Malware
Emsisoft Anti Malware
space.gif (58 bytes)


Return to PC Hell
Return to PC Hell