[ISN] Deloder worm targets weak passwords

From: InfoSec News (isnat_private)
Date: Tue Mar 11 2003 - 02:46:22 PST

  • Next message: InfoSec News: "[ISN] NSA notches up security credentials"

    By Paul Roberts
    IDG News Service
    A new worm on the Internet targets computers running the Microsoft
    Windows operating system, using easy-to-guess passwords for the
    Administrator account, according to alerts posted by a number of
    antivirus companies.
    The new worm, W32/Deloder-A (Deloder), appeared on Sunday and is
    considered a low risk for infection, according to an alert posted by
    F-Secure of Helsinki, Finland.
    Deloader is believed to have originated in China, F-Secure said.
    The worm attempts to connect to other computers on a network through
    TCP port 445, randomly generating IP addresses to locate vulnerable
    Port 445 is used to access shared files on Windows machines with the
    Server Message Block protocol.
    When a vulnerable Windows machine is located, the worm attempts to log
    on to the machine's Administrator account by trying 50 likely
    passwords such as "admin," "password," "12345," and "administrator,"  
    F-Secure said.
    If the worm succeeds in breaking the Administrator account password,
    it places copies of a backdoor, (trojan) program known as "inst.exe"  
    in several locations on the infected machine.
    The worm also modifies the machine's registry to run another copy of
    itself, "DVLDR32.EXE," according to advisories from F-Secure, Sophos
    and Symantec.
    Machines running Windows 95, 98, NT, 2000, ME and XP are vulnerable to
    attack by Deloder, Symantec said.
    No infections from Deloder have been reported and most firewalls block
    access to port 443. Still, many home computers without firewalls may
    be vulnerable to the new worm.
    As of Monday morning, most antivirus companies posted updated virus
    definitions to detect the new Deloder worm, as well as utilities to
    remove the worm from infected machines.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 11 2003 - 04:58:04 PST