Deborm is a network worm. Once the worm gains access to a LAN (local area network), it will keep spreading as long as it can find machines which have writable file shares without a password or with an easily guessable password. Once such computer is found, the worm will make a copy of itself to a startup folder where it will be automatically started after next reboot.
Disinfection & Removal
F-Secure Anti-Virus 5.40 and later versions can detect and rename infected files. It can successfully protect workstations from infection - when the worm attempts to copy a file to startup folder, FSAV will detect and rename that file before it can be activated. FSAV 5.4x also automatically renames backdoors and trojans dropped by the worm.
If you are using FSAV version 5.30 or earlier, then to prevent reinfection in a LAN environment, you might need to take down the network and reconnect machines only once they've been scanned and cleaned if needed. Please note that selection of 'Rename' or 'Delete' disinfection actions might be needed to get rid of worm and backdoor files. In case the infected files are locked, you might need to delete them from pure DOS (in case of Windows 9x systems) or to rename the infected files with different extensions and restart a computer.
The Deborm.Q variant presents an almost identical behavior as the previous ones.
Different worm variants drop different backdoors (hacker's remote access tools) and different trojans to infected systems. For example Deborm.R variant of the worm drops 'Litmus.203' backdoor, an IRC SDBot-based backdoor and a trojan that kills tasks of certain anti-virus and security software. Deborm.R worm tries to copy itself to the following folders on remote computers:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup C:\WINDOWS\Start Menu\Programs\Startup C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup \WINNT\Profiles\All Users\Start Menu\Programs\Startup \WINDOWS\Start Menu\Programs\Startup \Documents and Settings\All Users\Start Menu\Programs\Startup
When the worm is activated, it creates a startup key for its file in System Registry. For example Deborm.R worm creates the following Registry key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "NAV Live Update" = <path>
where <path> is the location of the worm's file.
Then the worm starts to look for open shares. If it finds 'C$' or 'C' share on a remote computer, it tries to get access to that share by guessing passwords for 'Owner', 'Guest' and 'Administrator' accounts. If the worm succeeds, it connects to that share and copies itself to startup folders there.
Technical Details: Description: Mikko Hypponen, Alexey Podrezov; F-Secure Corp.; May 30th, 2003