Deloder is a network worm infecting Windows machines which have
set a weak password to the "Administrator" account. It also installs
remote access tool VNC, opening the computer to the world.
The worm scans random IP addresses, trying to locate Windows
machines which have port 445 accessible. Port 445 (Microsoft SMB
over TCP/IP) allows outsiders to access Windows file shares.
Most corporate machines are protected with centralized or
distributed firewalls, which would block access to this port.
However, many home computers have this port visible to the world
and are vulnerable for this worm if the local administrator
account has a weak password.
Once a suitable machine is found, the worm tries to log on to the
remote computer using login name Administrator and by trying 50
different passwords:
"" (empty)
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"admin"
"Admin"
"password"
"Password"
"1"
"12"
"123"
"1234"
"12345"
"123456"
"1234567"
"12345678"
"123456789"
"654321"
"54321"
"111"
"000000"
"00000000"
"11111111"
"88888888"
"pass"
"passwd"
"database"
"abcd"
"abc123"
"oracle"
"sybase"
"123qwe"
"server"
"computer"
"Internet"
"super"
"123asd"
"ihavenopass"
"godblessyou"
"enable"
"xp"
"2002"
"2003"
"2600"
"0"
"110"
"111111"
"121212"
"123123"
"1234qwer"
"123abc"
"007"
"alpha"
"patrick"
"pat"
"administrator"
"root"
"sex"
"god"
"foobar"
"a"
"aaa"
"abc"
"test"
"test123"
"temp"
"temp123"
"win"
"pc"
"asdf"
"secret"
"qwer"
"yxcv"
"zxcv"
"home"
"xxx"
"owner"
"login"
"Login"
"pwd"
"pass"
"love"
"mypc"
"mypc123"
"admin123"
"pw123"
"mypass"
"mypass123"
"pw"
If the login succeeds, the worm copies itself over (usually as
"INST.EXE") to several Startup folders and adds a key to registry
to automatically execute "DVLDR32.EXE" (which is another copy of
the worm).
When the machine is restarted, the worm starts to scan for new
hosts to infect.
The main binary of the worm is packed with ASPack, once executed it drops
"psexec.exe" and "inst.exe".
The INST.EXE file drops several files into the system. A VNC server
composed of the following files:
%sysdir%\cygwin1.dll
%windir%\Fonts\explorer.exe
%windir%\Fonts\omnithread_rt.dll
%windir%\Fonts\VNCHooks.dll
The utility:
psexec.exe (UPX packed, from sysinternals)
And an IRC backdoor, which will connect to servers from a list of 13, as:
%windir%\Fonts\rundll32.exe (UPX packed)
Where "%windir%" is Windows root directory and "%sysdir%" is the Windows
System directory.
The worm creates two keys in the Windows Registry, so that its components will
be run next time Windows starts.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Explorer" = "%windir%\Fonts\explorer.exe"
"TaskMan" = "%windir%\Fonts\rundll32.exe"
A side effect of the infection can be that shared folders might
not be shared anymore.
This worm was found around noon GMT on Sunday 9th of March, 2003.
F-Secure Anti-Virus detects this worm with the updates
published on March 9th, 2003:
[FSAV_Database_Version]
Version=2003-03-09_01
[F-Secure Corp, 9th of March 2003]
