Virus Alert: Deloder Worm Connecting Via Port 445

Several antivirus software vendors are issuing alerts today for the Deloder worm (W32/Deloder.A). Deloder originated in China and infects computers running under Windows 2000 and XP, according to Panda Software.

In order to spread, this malicious code searches across the Internet for computers to which it can connect through port 445. If a successful connection is made, it copies a file called INST.EXE in the Windows Start folder. This file is a Trojan designed to open a backdoor in the computer. Once it has done this, Deloder also copies a file called DVLDR32.EXE in the infected computer, which contains a copy of the worm.

Similarly, Deloder tries to obtain the names of all the users connected to the same network as the infected computer. After it has done this, it tries to access each computer using a set list of typical passwords. Finally, Deloder disables shared network resources and inserts new entries in the Windows Registry in order to ensure that the worm is run permanently on affected computers.

According to McAfee, Deloder spreads via network shares that are protected by weak passwords. The worm requires WindowsNT/2k/XP in order to spread, but the virus can copy itself on to Win9x/ME systems. The worm also drops an installer, which installs BackDoor-ARG and IRC-Pitchfork. The worm copies itself to accessible shares as Dvldr32.exe and uses the Remote Process Launch (PSEXEC.EXE) tool to execute the file remotely. When run, it creates the following registry key value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "messnger" = %worm path%.

Sophos says W32/Deloder-A is designed to work primarily on Windows 2000/XP. Read more on this Sophos Web page.

According to F-Secure, Deloder also installs remote access tool VNC, opening the computer to the world. Most home computers, unlike corporate machines, have Port 445 visible and consequently, are vulnerable for this worm if the local administrator account has a weak password.

Once a suitable machine is found, the worm tries to log on to the remote computer using login name Administrator and by trying 50 different passwords. Find out what they are on this F-Secure page.

Deloader.A is difficult to recognize, since it does not display any warnings or messages that indicate that it has infected a computer, according to Panda Software, which has given the worm a very low threat rating. Read statistics here.

Worm Attempts to Steal MSN Messenger Passwords

W32.Nicehello@mm is a worm that sends itself to all the contacts in the Windows Address Book, according to Symantec. The email has various subjects and attachments. The attachment will have an .exe file extension. W32.Nicehello@mm attempts to steal MSN Messenger passwords.

Read technical details here.

Compiled by Esther Shein.