Content

W32/Deloder.worm

Type
Virus
SubType
Worm
Discovery Date
03/09/2003
Length
745, 984 bytes
Minimum DAT
4252 (03/12/2003)
Updated DAT
4252 (03/12/2003)
Minimum Engine
5.1.00
Description Added
03/09/2003
Description Modified
04/14/2003 8:35 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--- Update March 10, 2003 ---
This threat has been updated to a Low-Profiled risk as it has had some media attention.

This worm spreads via network shares that are protected by weak passwords. As such, infected networks will see an increase in traffic on TCP port 445. The worm requires Windows2K/XP in order to spread. The worm also drops an installer, which installs BackDoor-ARG and IRC-Pitchfork.

The worm copies itself to accessible shares as Dvldr32.exe and uses the Remote Process Launch (PSEXEC.EXE) tool to execute the file remotely. When run, it creates the following regsitry key value:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "messnger" = %worm path%.

Symptoms

--- Update April 11, 2003 ---
A new variant is found. It drops the following files:

File name File Size Type
Dvldr32.exe 802,824 bytes the worm
inst.exe 684,562 bytes trojan dropper RemoteAdmin.dr
hypertrm.exe 241,664 bytes Remote Administration tool detected as RemoteAdmin.svr
AdmDll.dll 90,112 bytes file used by RemoteAdmin.svr
raddrv.dll 29,408 bytes file used by RemoteAdmin.svr
psexec.exe 36,352 bytes Remote Process Launch application RemoteProcessLaunch (UPX packed and therefore detected as IRC/Flood.i with the 4232 DATs and higher)

The following files are associated with this threat:
File name File Size Type
cygwin1.dll 944,968 bytes innocent file, but used by the IRC bot IRC-Pitchfork
dvldr32.exe 745,984 bytes Worm
explorer.exe 212,992 bytes Renamed VNC application (see: BackDoor-ARG)
inst.exe 684,562 bytes BackDoor-ARG dropper
omnithread_rt.dll 57,344 bytes VNC application
psexec.exe 36,352 bytes Remote Process Launch application RemoteProcessLaunch (UPX packed and therefore detected as IRC/Flood.i with the 4232 DATs and higher)
rundll32.exe 29,336 bytes IRC bot IRC-Pitchfork
VNCHooks.dll 32,768 bytes VNC application

Unusually high outgoing TCP traffic from an infected system to port 445 of remote machines will be caused by this worm, as illustrated in the Sniffer Matrix View below:

[Sniffer Matrix View of W32/Deloder.worm TCP traffic]

Method of Infection

This worm does not function on Win9x/ME/NT systems. When the main worm component is run, it drops a Backdoor trojan installer (INST.EXE) and a Remote Process Launch application. The worm attempts to copy and execute itself on remote systems, via accessible network shares. The worm tries to connect to the IPC$ share and uses the following passwords:

  • 0
  • 000000
  • 00000000
  • 007
  • 1
  • 110
  • 111
  • 111111
  • 11111111
  • 12
  • 121212
  • 123
  • 123123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 2002
  • 2003
  • 2600
  • 54321
  • 654321
  • 88888888
  • a
  • aaa
  • abc
  • abc123
  • abcd
  • Admin
  • admin
  • admin123
  • administrator
  • alpha
  • asdf
  • computer
  • database
  • enable
  • foobar
  • god
  • godblessyou
  • home
  • ihavenopass
  • Internet
  • Login
  • login
  • love
  • mypass
  • mypass123
  • mypc
  • mypc123
  • oracle
  • owner
  • pass
  • passwd
  • Password
  • password
  • pat
  • patrick
  • pc
  • pw
  • pw123
  • pwd
  • qwer
  • root
  • secret
  • server
  • sex
  • super
  • sybase
  • temp
  • temp123
  • test
  • test123
  • win
  • xp
  • xxx
  • yxcv
  • zxcv
The worm also attempts to drop the trojan installer on the remote system in the following share folders:
  • C$\WINNT\All Users\Start Menu\Programs\Startup\inst.exe
  • C\WINDOWS\Start Menu\Programs\Startup\inst.exe
  • C$\Documents and Settings\All Users\Start Menu\Programs\Startup\inst.exe
The worm also deletes the following shares:
  • C$
  • D$
  • E$
  • F$
  • IPC$
  • ADMIN$
When the DVLDR32.EXE file is run, PSEXEC.EXE and INST.EXE are extracted to the local path.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Deloder (F-Secure)
  • dlvdr32.exe
  • W32.HLLW.Deloder (Symantec)
  • W32/Deloder-A (Sophos)
  • Worm.Win32.Deloder (AVP)
  • WORM_DELODER.A (Trend)

Characteristics

Characteristics -

--- Update March 10, 2003 ---
This threat has been updated to a Low-Profiled risk as it has had some media attention.

This worm spreads via network shares that are protected by weak passwords. As such, infected networks will see an increase in traffic on TCP port 445. The worm requires Windows2K/XP in order to spread. The worm also drops an installer, which installs BackDoor-ARG and IRC-Pitchfork.

The worm copies itself to accessible shares as Dvldr32.exe and uses the Remote Process Launch (PSEXEC.EXE) tool to execute the file remotely. When run, it creates the following regsitry key value:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "messnger" = %worm path%.

Symptoms

Symptoms -

--- Update April 11, 2003 ---
A new variant is found. It drops the following files:

File name File Size Type
Dvldr32.exe 802,824 bytes the worm
inst.exe 684,562 bytes trojan dropper RemoteAdmin.dr
hypertrm.exe 241,664 bytes Remote Administration tool detected as RemoteAdmin.svr
AdmDll.dll 90,112 bytes file used by RemoteAdmin.svr
raddrv.dll 29,408 bytes file used by RemoteAdmin.svr
psexec.exe 36,352 bytes Remote Process Launch application RemoteProcessLaunch (UPX packed and therefore detected as IRC/Flood.i with the 4232 DATs and higher)

The following files are associated with this threat:
File name File Size Type
cygwin1.dll 944,968 bytes innocent file, but used by the IRC bot IRC-Pitchfork
dvldr32.exe 745,984 bytes Worm
explorer.exe 212,992 bytes Renamed VNC application (see: BackDoor-ARG)
inst.exe 684,562 bytes BackDoor-ARG dropper
omnithread_rt.dll 57,344 bytes VNC application
psexec.exe 36,352 bytes Remote Process Launch application RemoteProcessLaunch (UPX packed and therefore detected as IRC/Flood.i with the 4232 DATs and higher)
rundll32.exe 29,336 bytes IRC bot IRC-Pitchfork
VNCHooks.dll 32,768 bytes VNC application

Unusually high outgoing TCP traffic from an infected system to port 445 of remote machines will be caused by this worm, as illustrated in the Sniffer Matrix View below:

[Sniffer Matrix View of W32/Deloder.worm TCP traffic]

Method of Infection

Method of Infection -

This worm does not function on Win9x/ME/NT systems. When the main worm component is run, it drops a Backdoor trojan installer (INST.EXE) and a Remote Process Launch application. The worm attempts to copy and execute itself on remote systems, via accessible network shares. The worm tries to connect to the IPC$ share and uses the following passwords:

  • 0
  • 000000
  • 00000000
  • 007
  • 1
  • 110
  • 111
  • 111111
  • 11111111
  • 12
  • 121212
  • 123
  • 123123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 2002
  • 2003
  • 2600
  • 54321
  • 654321
  • 88888888
  • a
  • aaa
  • abc
  • abc123
  • abcd
  • Admin
  • admin
  • admin123
  • administrator
  • alpha
  • asdf
  • computer
  • database
  • enable
  • foobar
  • god
  • godblessyou
  • home
  • ihavenopass
  • Internet
  • Login
  • login
  • love
  • mypass
  • mypass123
  • mypc
  • mypc123
  • oracle
  • owner
  • pass
  • passwd
  • Password
  • password
  • pat
  • patrick
  • pc
  • pw
  • pw123
  • pwd
  • qwer
  • root
  • secret
  • server
  • sex
  • super
  • sybase
  • temp
  • temp123
  • test
  • test123
  • win
  • xp
  • xxx
  • yxcv
  • zxcv
The worm also attempts to drop the trojan installer on the remote system in the following share folders:
  • C$\WINNT\All Users\Start Menu\Programs\Startup\inst.exe
  • C\WINDOWS\Start Menu\Programs\Startup\inst.exe
  • C$\Documents and Settings\All Users\Start Menu\Programs\Startup\inst.exe
The worm also deletes the following shares:
  • C$
  • D$
  • E$
  • F$
  • IPC$
  • ADMIN$
When the DVLDR32.EXE file is run, PSEXEC.EXE and INST.EXE are extracted to the local path.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A