Net-Worm:W32/Deloder

Classification

Category :

Malware

Type :

Net-Worm

Aliases :

Deloader

Summary

A worm that replicates by sending complete, independent copies of itself over a network.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Deloder is a network worm infecting Windows machines which have set a weak password to the Administrator account. It also installs remote access tool VNC, opening the computer to the world.

The worm scans random IP addresses, trying to locate Windows machines which have port 445 accessible. Port 445 (Microsoft SMB over TCP/IP) allows outsiders to access Windows file shares. This worm was found around noon GMT on Sunday 9th of March, 2003.

Most corporate machines are protected with centralized or distributed firewalls, which would block access to this port. However, many home computers have this port visible to the world and are vulnerable for this worm if the local administrator account has a weak password.

Propagation

Once a suitable machine is found, the worm tries to log on to the remote computer using login name Administrator and by trying 50 different passwords:

  • (empty)
  • xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  • admin
  • Admin
  • password
  • Password
  • 1
  • 12
  • 123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 654321
  • 54321
  • 111
  • 000000
  • 00000000
  • 11111111
  • 88888888
  • pass
  • passwd
  • database
  • abcd
  • abc123
  • oracle
  • sybase
  • 123qwe
  • server
  • computer
  • Internet
  • super
  • 123asd
  • ihavenopass
  • godblessyou
  • enable
  • xp
  • 2002
  • 2003
  • 2600
  • 0
  • 110
  • 111111
  • 121212
  • 123123
  • 1234qwer
  • 123abc
  • 007
  • alpha
  • patrick
  • pat
  • administrator
  • root
  • sex
  • god
  • foobar
  • a
  • aaa
  • abc
  • test
  • test123
  • temp
  • temp123
  • win
  • pc
  • asdf
  • secret
  • qwer
  • yxcv
  • zxcv
  • home
  • xxx
  • owner
  • login
  • Login
  • pwd
  • pass
  • love
  • mypc
  • mypc123
  • admin123
  • pw123
  • mypass
  • mypass123
  • pw

If the login succeeds, the worm copies itself over (usually as INST.EXE) to several Startup folders and adds a key to registry to automatically execute DVLDR32.EXE (which is another copy of the worm).

When the machine is restarted, the worm starts to scan for new hosts to infect.

The main binary of the worm is packed with ASPack, once executed it drops psexec.exe and inst.exe.

The INST.EXE file drops several files into the system. A VNC server composed of the following files:

  • %sysdir%\cygwin1.dll
  • %windir%\Fonts\explorer.exe
  • %windir%\Fonts\omnithread_rt.dll
  • %windir%\Fonts\VNCHooks.dll

The utility:

  • psexec.exe (UPX packed, from sysinternals)

And an IRC backdoor, which will connect to servers from a list of 13, as:

  • %windir%\Fonts\rundll32.exe (UPX packed)

Where %windir% is Windows root directory and %sysdir% is the WindowsSystem directory. The worm creates two keys in the Windows Registry, so that its components will be run next time Windows starts.

  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] Explorer = %windir%\Fonts\explorer.exe TaskMan = %windir%\Fonts\rundll32.exe

A side effect of the infection can be that shared folders might not be shared anymore.