EVRT™ Virus Advisory issued for Worm/Deloader

Name: Worm/Deloader
Alias: WORM_DELODER.A
Type: Internet Worm
Discovered: March 9, 2003
Size: 745.984 Bytes
Plattform: Microsoft Windows 2000/XP and Server 2003

Worm/Deloader is a network aware Internet worm that spreads via open network shares. It infects only Windows Xp and 2000 systems. It does not run on Windows 9x machines.

It scans random IP addresses looking for machines that have TCP port 445 open that allows users outside the network access to the Window file shares. It does so by trying to log on as administrator using a list of 85 passwords:

- 0
- 000000
- 00000000
- 007
- 1
- 110
- 111
- 111111
- 11111111
- 12
- 121212
- 123
- 123123
- 1234
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 1234qwer
- 123abc
- 123asd
- 123qwe
- 2002
- 2003
- 2600
- 54321
- 654321
- 88888888
- a
- aaa
- abc
- abc123
- abcd
- Admin
- admin
- admin123
- administrator
- alpha
- asdf
- computer
- database
- enable
- foobar
- god
- godblessyou
- home
- ihavenopass
- Internet
- Login
- login
- love
- mypass
- mypass123
- mypc
- mypc123
- oracle
- owner
- pass
- passwd
- Password
- password
- pat
- patrick
- pc
- pw
- pw123
- pwd
- qwer
- root
- secret
- server
- sex
- super
- sybase
- temp
- temp123
- test
- test123
- win
- xp
- xxx
- yxcv
- zxcv

If the worm logs on successfully to the remote system, it copies itself automatically into the following directories:

- C:/WINDOWS/Start Menu/Programs/Startup/INST.EXE
- C:/WINNT/All user/start Menu/Programs/Startup/INST.EXE
- C:/Documents and Settings/All user/start Menu/Programs/Startup/INST.EXE (so that with the next system start it will be automatically executed).

By copying over these files, it would allow anyone remote access

It also copies over itslef as the file DVLDR32.EXE.

So that it gets run each time a user restart their computer the following registry key gets added:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
messnger = %WurmPfad%/Devldr32.exe

Worm/Deloder then drops the file PSEXEC.EXE into the common listing. This file is a tool provided by the company Sysinternals and does not have any damaging functions. Worm/Deloder tries to load a Backdoor program down from the Internet and stores this as RUNDLL32.EXE in the Windows system listing.