Sonicwall Signatures


Go to All Categories list.

Welchia.G is a Worm. Worms spread from computer to computer, making copies of themselves over the network. They could spread over email, IM, peer-to-peer networks, or directly over the wire by leveraging vulnerabilities. Welchia.G has a file size of 13,824 bytes. Welchia.G drops the following files on the hard drive:
  • c:\sample.exe (13824 bytes)
  • C:\WINDOWS\SYSTEM32\drivers\svchost.exe (13824 bytes)
It also changes Windows registry:
  • Creates key "HKLM\System\CurrentControlSet\Services\WksPatch".
  • Sets value "ImagePath"="C:\WINDOWS\SYSTEM32\drivers\svchost.exe" in key "HKLM\System\CurrentControlSet\Services\WksPatch".
  • Sets value "DisplayName"="Routing Procedure Messaging" in key "HKLM\System\CurrentControlSet\Services\WksPatch".
Welchia.G configures following services on NT based machines:
  • Creates service "WksPatch (Routing Procedure Messaging)" as "C:\WINDOWS\SYSTEM32\drivers\svchost.exe".
  • Creates service "WksPatch (Routing Accounts Client)" as "C:\WINDOWS\SYSTEM32\drivers\svchost.exe".
It creates the following mutex to ensure only one instance is running: WksPatch_Mutex. It also monitors the list of running processes.

Relevant Information