News Stay informed about the latest enterprise technology news and product updates.

Deloder worm preys on poor passwords

Virus experts are warning enterprises of a new worm called Deloder, which uses a legitimate remote administration tool to spread.

A new worm is in the wild, using a list of common, weak administrator passwords to break into systems.

Deloder-A uses Remote Process Launch (psexec.exe) to infect remote machines, a legitimate program used by administrators for remote management. The worm spreads by first scanning random IP addresses, looking for Windows machines with port 445 open. Port 445 (Microsoft SMB over TCP/IP) gives other systems access to Windows file shares.

Deloder then attempts to log on to the machines as administrator, using a list of common passwords it carries. The worm requires Windows NT, Windows 2000 or Windows XP to spread, but the virus can copy itself on to Win9x and ME systems.

When the worm runs, it drops a backdoor Trojan installer (INST.EXE) and a Remote Process Launch application. The worm attempts to copy and execute itself on remote systems, via accessible network shares.

Deloder tries the following passwords when it tries remote systems:

  • 0
  • 000000
  • 00000000
  • 007
  • 1
  • 110
  • 111
  • 111111
  • 11111111
  • 12
  • 121212
  • 123
  • 123123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 2002
  • 2003
  • 2600
  • 54321
  • 654321
  • 88888888
  • a
  • aaa
  • abc
  • abc123
  • abcd
  • Admin
  • admin
  • admin123
  • administrator
  • alpha
  • asdf
  • computer
  • database
  • enable
  • foobar
  • god
  • godblessyou
  • home
  • ihavenopass
  • Internet
  • Login
  • login
  • love
  • mypass
  • mypass123
  • mypc
  • mypc123
  • oracle
  • owner
  • pass
  • passwd
  • Password
  • password
  • pat
  • patrick
  • pc
  • pw
  • pw123
  • pwd
  • qwer
  • root
  • secret
  • server
  • sex
  • super
  • sybase
  • temp
  • temp123
  • test
  • test123
  • win
  • xp
  • xxx
  • yxcv
  • zxcv

The worm doesn't delete files, but it can bog down networks as it increases traffic on port 445. One sign of infection is the appearance of unusually high levels of outgoing TCP traffic to port 445 of other systems. More important, Deloder also installs a backdoor program that could allow the worm writer to gain complete system control of infected systems.

Strong administrator passwords are the best protection against Deloder, said Craig Schmugar, an antivirus researcher with McAfee AVERT. (See "Proper password policy is imperative" for tips on creating strong passwords.)

Plugging port 445 access would be difficult, since it's so important to Windows, Schmugar said. A personal firewall would help prevent infection because it curtails outside access, he said.

Yaha-P surfaces

In other worm news, Sophos and F-Secure are warning of Yaha-P (called Yaha-Q by some). The worm is similar to past versions. It mostly travels through e-mail, but it can also spread through network file shares. It uses a host of subject lines and message texts. It can also spoof e-mail addresses so it falsely appears to come from a particular address, when it in fact originated at another machine.

The variant is packed with a UPX file compressor with the UPX strings manually removed from the file's header, F-Secure said in an advisory. Often, worm writers pack their creations with different file-packing programs to make them harder for antivirus programs to detect.

FOR MORE INFORMATION: news exclusive "Is a Sendmail worm likely?" news exclusive "Klez's staying power still a concern" news exclusive "Proper password policy is imperative"

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.