WORM_DELODER.A

Discussion in 'malware problems & news' started by FanJ, Mar 9, 2003.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    As of March 9, 2:49 AM (US Pacific Time), a significant number of infection reports have reached TrendLabs about this new Internet worm, which has been found to be rapidly spreading in China.

    This worm usually arrives bearing the file name, Dvldr32.exe. It uses the valid network utility, psexec.exe, to connect to remote machines via port 445.

    To gain full access, it tries to log on as administrator by trying passwords from a fixed list.

    If the logon attempt is successful, it drops a copy of itself on target machines with a read-only attribute. On remote machines, it drops a backdoor program with the file name, inst.exe, on the following startup folders:

    \%s\C$\WINNT\All Users\Start Menu\Programs\Startup\
    \%s\C\WINDOWS\Start Menu\Programs\Startup\
    \%s\C$\Documents
    Settings\All Users\Start Menu\Programs\Startup\

    (Note: %s is the network name of the remote machine.)

    To enable its automatic execution, this worm creates the following autorun registry entry so that its copy executes at every Windows startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    messnger = Dvldr32.exe

    This worm, which runs on Windows 2000 and XP, also disables remote shares.

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DELODER.A
     
  2. FanJ

    FanJ Guest

  3. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    This bad boy jumped right in and took the place of Bugbear.
    I am getting hammered!
     
  4. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
Thread Status:
Not open for further replies.