Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Deloder worm attacking Window systems with weak Admin passwords

Deloder worm attacking Window systems with weak Admin passwords

by Nikola Strahija on March 10th, 2003 Deloder is a network worm infecting Windows machines which have set a weak password to the "Administrator" account. It also installs remote access tool VNC, opening the computer to the world. The worm scans random IP addresses, trying to locate Windows machines which have port 445 accessible. Port 445 (Microsoft SMB over TCP/IP) allows outsiders to access Windows file shares.


Most corporate machines are protected with centralized or distributed firewalls, which would block access to this port. However, many home computers have this port visible to the world and are vulnerable for this worm if the local administrator account has a weak password. Once a suitable machine is found, the worm tries to log on to the remote computer using login name Administrator and by trying 50 different passwords:

If the login succeeds, the worm copies itself over (usually as "INST.EXE") to several Startup folders and adds a key to registry to automatically execute "DVLDR32.EXE" (which is another copy of the worm). When the machine is restarted, the worm starts to scan for new hosts to infect. The main binary of the worm is packed with ASPack, once executed it drops "psexec.exe" and "inst.exe". The INST.EXE file drops several files into the system. A VNC server composed of the following files: cygwin1.dll explorer.exe omnithread_rt.dll VNCHooks.dll The utility: psexec.exe (UPX packed, from sysinternals) And an IRC backdoor, which will connect to servers from a list of 13, as: rundll32.exe (UPX packed) A side effect of the infection can be that shared folders might not be shared anymore. This worm was found around noon GMT on Sunday 9th of March, 2003.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »