Sonicwall Signatures


Go to All Categories list.

Welchia.L is a Worm. Worms spread from computer to computer, making copies of themselves over the network. They could spread over email, IM, peer-to-peer networks, or directly over the wire by leveraging vulnerabilities. Welchia.L is compressed using the executable packer and its file size is 14,813 bytes. Welchia.L drops the following files on the hard drive:
  • C:\WINDOWS\system32\drivers\svchost.exe (14813 bytes)
  • C:\WINDOWS\system32\drivers\etc\hosts (35 bytes)
It also changes Windows registry:
  • Sets value "DisplayName"="Network Logging Messaging" in key "HKLM\System\CurrentControlSet\Services\NsDlRK250".
  • Sets value "\xcc"="" in key "HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32".
Welchia.L configures following services on NT based machines:
  • Creates service "WksPatch (Network Logging Messaging)" as "C:\WINDOWS\system32\drivers\svchost.exe".
It creates the following mutex to ensure only one instance is running: WksPatch_Mutex. It also monitors the list of running processes.

Relevant Information