Win32.HLLW.Deloder.A( N/A )
SYMPTOMS: Value \"messnger\" containing the path to the worm executable inHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run TECHNICAL DESCRIPTION: The worm will run only on NT platforms: Windows NT 4, Windows 2000 orWindows XP, because it uses functions of the \"netapi32.dll\" library. The worm tries to access random IP addresses on port 445, that is, it tries to connect to remote computers by TCP/IP on the network or on the Internet, and if succedes, it runs \"psexec.exe\", a non-virus tool to copy and execute itself on the remote computer. It\'s file name may change to \"Dvldr32.exe\" when copied to destination. Also it drops a file \"inst.exe\" that is Backdoor.Deloder.A and puts it in the \"Start Menu\\Programs\\Startup\" on the remote computers. In its connection attempts, the worm uses passwords from the following dictionary: \"\" (no password) \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\" \"admin\" \"Admin\" \"password\" \"Password\" \"1\" \"12\" \"123\" \"1234\" \"12345\" \"123456\" \"1234567\" \"12345678\" \"123456789\" \"654321\" \"54321\" \"111\" \"000000\" \"00000000\" \"11111111\" \"88888888\" \"pass\" \"passwd\" \"database\" \"abcd\" \"abc123\" \"oracle\" \"sybase\" \"123qwe\" \"server\" \"computer\" \"Internet\" \"super\" \"123asd\" \"ihavenopass\" \"godblessyou\" \"enable\" \"xp\" \"2002\" \"2003\" \"2600\" \"0\" \"110\" \"111111\" \"121212\" \"123123\" \"1234qwer\" \"123abc\" \"007\" \"alpha\" \"patrick\" \"pat\" \"administrator\" \"root\" \"sex\" \"god\" \"foobar\" \"a\" \"aaa\" \"abc\" \"test\" \"test123\" \"temp\" \"temp123\" \"win\" \"pc\" \"asdf\" \"secret\" \"qwer\" \"yxcv\" \"zxcv\" \"home\" \"xxx\" \"owner\" \"login\" \"Login\" \"pwd\" \"pass\" \"love\" \"mypc\" \"mypc123\" \"admin123\" \"pw123\" \"mypass\" \"mypass123\" \"pw\" Removal instructions: Automatic removal: let BitDefender delete the files found infected with this worm, or its dropped backdoor.ANALYZED BY: Mihai NeaguBitDefender Virus Researcher |