Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


DLLHOST.EXE PROCESS INFORMATION

Process Name  : dllhost.exe

Process Path : %SYSTEM%\WINS\dllhost.exe [ C:\Windows\System32\WINS\dllhost.exe ]

Process type    : Internet Worm

Malware Name : W32.Welchia.Worm

Alias             : W32/Nachi.Worm, W32/Nachi-A, Lovsan.D,  WORM_MSBLAST.D,  I-Worm/Generic

Threat level : Low

Process Details :

                     Dllhost.exe is the main component dropped by Welchia worm. It is a RPC Worm,  exploits a vulnerability DCOM RPC [ Buffer Overrun In RPC Interface ] to infect target systems. It scans for IP addresses and infects unpatched systems. It kills Blaster Worm and installs security patches in the infected system.

                     Welchia worm copies to Windows System32\WINS folder as DLLHOST.EXE. It also copies tftpd.exe as SVCHOST.exe in the Windows System32\WINS folder. Then it tries to download and install RPC security patches and restarts the system.

                      Welchia worm can be avoided by installing security patches from Microsoft. If you have not installed, you can get a copy at http://www.microsoft.com/technet/security/bulletin/MS03-026.asp The worm infected users will receive the error messages like 

System Shutdown

This system is shutting down. Please save all
work in progress and log off. Any unsaved
changes will be lost. This shutdown was
initiated by NT AUTHORITY\SYSTEM

Time before shutdown : 00:00:59

Message
Windows must now restart because the
Remote Procedure Call (RPC) service
terminated unexpectedly

                      Welchia worm infected systems may reboot every few minutes. This will stop the infected users from downloading security patches and antivirus software. You can disable DCOM temporarily to download patches and antivirus software. After installing security patches and antivirus software, you can enable the distributed COM. 

                      After January 1, 2004, this worm will remove automatically. The worm contains the string

=========== I love my wife & baby :-)~~~ Welcome Chian~~~ Notice: 2004 will remove myself:-)~~ sorry zhongli~~~=========== wins 

How can I protect my system?

                   Solo has incorporated dllhost.exe in its signature file to protect users from this worm attack. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats. 

How to remove this worm?

                   If you are already infected with this worm, download and install security patches from the link http://www.microsoft.com/technet/security/bulletin/MS03-026.asp Then run Solo anti-virus scanner to remove the worm components.

                   Solo antivirus can detect and remove W32.Welchia. Worm and its variants safely. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link