[1] This worm infected systems by exploiting vulnerabilities in Microsoft Windows system code (TFTPD.EXE and TCP on ports 666–765, and a buffer overflow of the RPC on port 135).
Its method of infection is to create a remote shell and instruct the system to download the worm using TFTP.EXE.
Specifically, the Welchia worm targeted machines running Windows XP.
[2] Once on the system, the worm patches the vulnerability it used to gain access (thereby actually securing the system against other attempts to exploit the same method of intrusion) and run its payload, a series of Microsoft patches.
If still in the system, the worm is programmed to self-remove on January 1, 2004, or after 120 days of processing, whichever comes first.