FRISK Software International


Summary of W32/HLLW.Deloder
Alias:Worm.Win32.Deloder (KAV), W32.HLLW.Deloder (Symantec),WORM_DELODER.A (Trend)
Length: 745984
Discovered: 9 Mar 2003
Definition files: 9 Mar 2003
Risk Level: Low
Distribution:Low
Payload: Drops a Backdoor
 
Jump to:
Brief description
Technical description

Brief Description
The W32/HLLW.Deloader is a worm written in Visual C++ and compressed with ASpack. This worm propagates via networks, by scanning ranges of IP addresses using port 445 and trying to access shared network drives, both using default shares often found on Windows computers and by using a simple bruteforce methods on password protected shares. If the worm is successful, he uploads two components, one of which is a dropper for an IRC-controlled backdoor along with a VNC remote-desktop connection utility and a remote-execution program. The worm executes this dropper by utilizing a valid remote-program execution program. The worm creates registry keys to ensure it's run once the system has been infected.


Technical Description
This worm propagates via networks, where it scans for hosts using port 445 (default SAMBA port). It also creates a run-key in the registry thus allowing it to be automatically executed on Windows startup. the it drops two files psexec.exe and inst.exe.
The psexec.exe file is a standard utility which has the ability to execute programs remotely which the worm uses among other things to try to delete default shares
The worm contains a small library containing a list of common passwords, found below, which the Deloader worm utilizes to brute-force access to password protected network resources.

mypass123
mypass
pw123
admin123
mypc123
mypc
love
Login
login
owner
home
zxcv
yxcv
qwer
secret
asdf
temp123
temp
test123
test
foobar
root
administrator
patrick
alpha
123abc
1234qwer
123123
121212
111111
2600
2003
2002
enable
godblessyou
ihavenopass
123asd
super
Internet
computer
server
123qwe
sybase
oracle
abc123
abcd
database
passwd
pass
88888888
11111111
00000000
000000
54321
654321
123456789
12345678
1234567
123456
12345
1234
Password
password
Admin
admin
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


After gaining access to a host the worm the worm copies it self to the windows system directory under the name Dvldr32.exe and tries to copy a backdoor under the name inst.exe to the following directories where %s is the name of the remote computer


\%s\C$\WINNT\All Users\Start Menu\Programs\Startup\
\%s\C\WINDOWS\Start Menu\Programs\Startup\
\%s\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\



The Inst.exe creates the two following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer = [c:\winnt\fonts\explorer.exe]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMan = [c:\winnt\fonts\rundll32.exe]


The files explorer.exe, onmithread_rt.dll and vnchooks.dll which are all dropped by the Inst.exe, are part of a remote-access desktop utility called VNC. Which due to the registry keys the Inst.exe creates, is started every time Windows starts. Inst.exe also drops Cygwin1.dll and rundll32.exe where rundll32.exe is an IRC backdoor.
When rundll32.exe is executed it tries to connect to one of the following servers:

cocket.nailed.org
cocket.mooo.com
cocket.bounceme.net
cocket.phathookups.com
cocket.gotdns.com
cocket.ma.cx
cocket.orgdns.org
cocket.minidns.net
cocket.dyn.nicolas.cx
cocket.dynup.net
cocket.pokemonfan.org
cocket.staticcling.org
cocket.getmyip.com




Analysis / Description: Sigurdur A. Stefnisson & Sindri Bjarnason - FRISK Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is