F-Secure Virus Descriptions

NAME:       Deloder
ORIGIN:     China
SIZE:       745984

THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER F-SECURE RADAR.
For more information, see: http://www.F-Secure.com/products/radar/


Deloder is a network worm infecting Windows machines which have set a
weak password to the "Administrator" account.

The worm scans random IP addresses, trying to locate Windows machines
which have port 445 accessible. Port 445 (Microsoft SMB over TCP/IP)
allows outsiders to access Windows file shares.

Most corporate machines are protected with centralized or distributed
firewalls, which would block access to this port. However, many home
computers have this port visible to the world and are vulnerable for
this worm if the local administrator account has a weak password.

Once a suitable machine is found, the worm tries to log on to the
remote computer using login name Administrator and by trying 50
different passwords:

 "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 ""
 "admin"
 "Admin"
 "password"
 "Password"
 "1"
 "12"
 "123"
 "1234"
 "12345"
 "123456"
 "1234567"
 "12345678"
 "123456789"
 "654321"
 "54321"
 "111"
 "000000"
 "00000000"
 "11111111"
 "88888888"
 "pass"
 "passwd"
 "database"
 "abcd"
 "abc123"
 "oracle"
 "sybase"
 "123qwe"
 "server"
 "computer"
 "Internet"
 "super"
 "123asd"
 "ihavenopass"
 "godblessyou"
 "enable"
 "xp"
 "2002"
 "2003"
 "2600"
 "0"
 "110"
 "111111"
 "121212"
 "123123"
 "1234qwer"
 "123abc"
 "007"
 "alpha"
 "patrick"
 "pat"
 "administrator"
 "root"
 "sex"
 "god"
 "foobar"
 "a"
 "aaa"
 "abc"
 "test"
 "test123"
 "temp"
 "temp123"
 "win"
 "pc"
 "asdf"
 "secret"
 "qwer"
 "yxcv"
 "zxcv"
 "home"
 "xxx"
 "owner"
 "login"
 "Login"
 "pwd"
 "pass"
 "love"
 "mypc"
 "mypc123"
 "admin123"
 "pw123"
 "mypass"
 "mypass123"
 "pw"

If the login succeeds, the worm copies itself over (usually as
"INST.EXE") to several Startup folders and adds a key to registry to
automatically execute "DVLDR32.EXE" (which is another copy of the
worm).

When the machine is restarted, the worm starts to scan for new hosts
to infect.

The main binary of the worm is packed with ASPack, once executed it
drops "psexec.exe" and "inst.exe".

The INST.EXE file drops several files into the system. A VNC server
composed of the following files:

 cygwin1.dll
 explorer.exe
 omnithread_rt.dll
 VNCHooks.dll

The utility:

 psexec.exe (UPX packed)

And an IRC backdoor, which will connect to servers from a list of 13, as:

 rundll32.exe (UPX packed)

A side effect of the infection can be that shared folders might not be
shared anymore.

This worm was found around noon GMT on Sunday 9th of March, 2003.

F-Secure Anti-Virus detects this worm with the updates published on
March 9th, 2003:

[FSAV_Database_Version]

Version=2003-03-09_01

[F-Secure Corp, 9th of March 2003]