A new worm is in the wild, using a list of common, weak administrator passwords to break into systems.
Deloder-A uses Remote Process Launch (psexec.exe) to infect remote machines, a legitimate program used by administrators for remote management. The worm spreads by first scanning random IP addresses, looking for Windows machines with port 445 open. Port 445 (Microsoft SMB over TCP/IP) gives other systems access to Windows file shares.
Deloder then attempts to log on to the machines as administrator, using a list of common passwords it carries. The worm requires Windows NT, Windows 2000 or Windows XP to spread, but the virus can copy itself on to Win9x and ME systems.
When the worm runs, it drops a backdoor Trojan installer (INST.EXE) and a Remote Process Launch application. The worm attempts to copy and execute itself on remote systems, via accessible network shares.
Deloder tries the following passwords when it tries remote systems:
The worm doesn't delete files, but it can bog down networks as it increases traffic on port 445. One sign of infection is the appearance of unusually high levels of outgoing TCP traffic to port 445 of other systems. More important, Deloder also installs a backdoor program that could allow the worm writer to gain complete system control of infected systems.
Strong administrator passwords are the best protection against Deloder, said Craig Schmugar, an antivirus researcher with McAfee AVERT. (See "Proper password policy is imperative" for tips on creating strong passwords.)
Plugging port 445 access would be difficult, since it's so important to Windows, Schmugar said. A personal firewall would help prevent infection because it curtails outside access, he said.
In other worm news, Sophos and F-Secure are warning of Yaha-P (called Yaha-Q by some). The worm is similar to past versions. It mostly travels through e-mail, but it can also spread through network file shares. It uses a host of subject lines and message texts. It can also spoof e-mail addresses so it falsely appears to come from a particular address, when it in fact originated at another machine.
The variant is packed with a UPX file compressor with the UPX strings manually removed from the file's header, F-Secure said in an advisory. Often, worm writers pack their creations with different file-packing programs to make them harder for antivirus programs to detect.
FOR MORE INFORMATION:SearchSecurity.com news exclusive "Klez's staying power still a concern" SearchSecurity.com news exclusive "Proper password policy is imperative"
- FEEDBACK: How dire is the password problem in your enterprise?
Send your thoughts to News Writer Edward Hurley.