McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Multidropper-DC

• nb_worm

• TROJ_DROPPERFL.A (Trend)

• W32.HLLW.Nebiwo (NAV)

• w32/Slackor

• Worm.Win32.Deborm (AVP)

• YapBinder

Characteristics

-- Update May 16, 2003 --
This family of worms is expanding extremely rapidly (39 variants currently) and new variants are constantly being covered by our generic detection. For up-to-date protection from the latest variants you have to use the latest DATs.
--

W32/Deborm.worm is a file share propagating worm targeting Microsoft Windows NT, W2K and XP machines. There are many many versions of this share propagating worm. This description is merely meant as a guide.

Some variants will not run on Windows 9x/ME due to the worm importing a function from NETAPI32.DLL. (Other variants do not import this function.)

Early Variants

Initial variants of this worm consisted of a dropper which dropped and executed various other components. These included a batch script (for connecting to remote machines), an application to launch processes on remote machines (RemoteProcessLaunch application ) and an IRC bot (which is remotely launched on remote machine). The batch script drives propagation, attempting to connect to remote shares using various usernames and passwords. Example accounts used include:

• Administrator
• wwwadmin
• database
• user

With passwords such as:

• "" (blank)
• user
• admin
• admin123
• password
• administrator
• changeme
• 123
• 1234
• 12345
• 123456
• 654321
• test

Latter Variants

Latter variants do not rely upon a batch script for connecting to remote machines.

When the worm is run on the victim machine, it sets the following startup hook on the victim machine:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"NAV Live Update" = (path to worm )

The worm will drop (and execute) other malware on the victim machine, for example IRC-Sdbot , BackDoor-JZ ("BackDoor.Litmus"), or ProcKill-AF . For example, the following files are dropped by one variant:

• IRC-Sdbot : %SysDir%\EXPLORER .EXE (12,832 bytes)
• BackDoor-JZ : C:\WINNT\LITMUS\SVCHOST32.EXE (17,440 bytes)
• ProcKill-AF : C:\WINDOWS\Winlogon.exe (17,410 bytes)

Such files dropped in testing were already detected by McAfee products using the specified engine/DATs (or greater).

Additional system modifications associated with the dropped malware will also occur on the victim machine - see the separate descriptions for such startup hooks etc.

Network Propagation

The worm scans the local network (via sweeping contiguous IP addresses) for machines present on the network. Once a system is found, the worm tries to connect to the 'IPC$' and/or 'C$' and/or 'C' shares on that machine (variant dependant). The following accounts are used for the connection (with no passwords):

• Administrator
• Owner
• Guest

NOTE: The virus assumes the privileges of the currently authenticated user. If a domain administrator logs on to an infected system, virtually all accessible systems on the LAN may be vulnerable to share propagation.

If successful, the worm will copy itself onto that share in one of the following locations (ie. Windows startup folder):

• C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
• C:\WINDOWS\Start Menu\Programs\Startup
• C:\Documents and Settings\All Users\Start Menu\Programs\Startup
• \WINNT\Profiles\All Users\Start Menu\Programs\Startup
• \WINDOWS\Start Menu\Programs\Startup
• \Documents and Settings\All Users\Start Menu\Programs\Startup

Finally, the worm attempts to execute the copied file by calling the NetScheduleJobAdd function.

Symptoms

• Unexpected PE files copied to Windows startup folder, across the local network
• Dropping of other malware (eg. IRC-Sdbot and BackDoor-JZ) on machines across local network

Method of Infection

This is a NetBIOS worm that propagates via copying itself to accessible file shares on machines on the local subnet. It drops other (backdoor) malware on compromised machines.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Multidropper-DC

• nb_worm

• TROJ_DROPPERFL.A (Trend)

• W32.HLLW.Nebiwo (NAV)

• w32/Slackor

• Worm.Win32.Deborm (AVP)

• YapBinder

Characteristics

Characteristics -

-- Update May 16, 2003 --
This family of worms is expanding extremely rapidly (39 variants currently) and new variants are constantly being covered by our generic detection. For up-to-date protection from the latest variants you have to use the latest DATs.
--

W32/Deborm.worm is a file share propagating worm targeting Microsoft Windows NT, W2K and XP machines. There are many many versions of this share propagating worm. This description is merely meant as a guide.

Some variants will not run on Windows 9x/ME due to the worm importing a function from NETAPI32.DLL. (Other variants do not import this function.)

Early Variants

Initial variants of this worm consisted of a dropper which dropped and executed various other components. These included a batch script (for connecting to remote machines), an application to launch processes on remote machines (RemoteProcessLaunch application ) and an IRC bot (which is remotely launched on remote machine). The batch script drives propagation, attempting to connect to remote shares using various usernames and passwords. Example accounts used include:

• Administrator
• wwwadmin
• database
• user

With passwords such as:

• "" (blank)
• user
• admin
• admin123
• password
• administrator
• changeme
• 123
• 1234
• 12345
• 123456
• 654321
• test

Latter Variants

Latter variants do not rely upon a batch script for connecting to remote machines.

When the worm is run on the victim machine, it sets the following startup hook on the victim machine:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"NAV Live Update" = (path to worm )

The worm will drop (and execute) other malware on the victim machine, for example IRC-Sdbot , BackDoor-JZ ("BackDoor.Litmus"), or ProcKill-AF . For example, the following files are dropped by one variant:

• IRC-Sdbot : %SysDir%\EXPLORER .EXE (12,832 bytes)
• BackDoor-JZ : C:\WINNT\LITMUS\SVCHOST32.EXE (17,440 bytes)
• ProcKill-AF : C:\WINDOWS\Winlogon.exe (17,410 bytes)

Such files dropped in testing were already detected by McAfee products using the specified engine/DATs (or greater).

Additional system modifications associated with the dropped malware will also occur on the victim machine - see the separate descriptions for such startup hooks etc.

Network Propagation

The worm scans the local network (via sweeping contiguous IP addresses) for machines present on the network. Once a system is found, the worm tries to connect to the 'IPC$' and/or 'C$' and/or 'C' shares on that machine (variant dependant). The following accounts are used for the connection (with no passwords):

• Administrator
• Owner
• Guest

NOTE: The virus assumes the privileges of the currently authenticated user. If a domain administrator logs on to an infected system, virtually all accessible systems on the LAN may be vulnerable to share propagation.

If successful, the worm will copy itself onto that share in one of the following locations (ie. Windows startup folder):

• C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
• C:\WINDOWS\Start Menu\Programs\Startup
• C:\Documents and Settings\All Users\Start Menu\Programs\Startup
• \WINNT\Profiles\All Users\Start Menu\Programs\Startup
• \WINDOWS\Start Menu\Programs\Startup
• \Documents and Settings\All Users\Start Menu\Programs\Startup

Finally, the worm attempts to execute the copied file by calling the NetScheduleJobAdd function.

Symptoms

Symptoms -

• Unexpected PE files copied to Windows startup folder, across the local network
• Dropping of other malware (eg. IRC-Sdbot and BackDoor-JZ) on machines across local network

Method of Infection

Method of Infection -

This is a NetBIOS worm that propagates via copying itself to accessible file shares on machines on the local subnet. It drops other (backdoor) malware on compromised machines.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A