Deborm

Classification

Category:

Malware

Platform:

W32

Type:

Worm

Aliases:

Deborm
Worm.Win32.Deborm
W32.Deborm.Worm
W32/Deborm.worm

Summary

Deborm is a network worm. Once the worm gains access to a LAN (local area network), it will keep spreading as long as it can find machines which have writable file shares without a password or with an easily guessable password. Once such computer is found, the worm will make a copy of itself to a startup folder where it will be automatically started after next reboot.

Removal

Technical Details

The Deborm.Q variant presents an almost identical behavior as the previous ones.

Different worm variants drop different backdoors (hacker's remote access tools) and different trojans to infected systems. For example Deborm.R variant of the worm drops 'Litmus.203' backdoor, an IRC SDBot-based backdoor and a trojan that kills tasks of certain anti-virus and security software. Deborm.R worm tries to copy itself to the following folders on remote computers:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup C:\WINDOWS\Start Menu\Programs\Startup C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup \WINNT\Profiles\All Users\Start Menu\Programs\Startup \WINDOWS\Start Menu\Programs\Startup \Documents and Settings\All Users\Start Menu\Programs\Startup

When the worm is activated, it creates a startup key for its file in System Registry. For example Deborm.R worm creates the following Registry key:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "NAV Live Update" = <path>

where <path> is the location of the worm's file.

Then the worm starts to look for open shares. If it finds 'C$' or 'C' share on a remote computer, it tries to get access to that share by guessing passwords for 'Owner', 'Guest' and 'Administrator' accounts. If the worm succeeds, it connects to that share and copies itself to startup folders there.