Summary of W32/HLLW.Deloder
|Alias:||Worm.Win32.Deloder (KAV), W32.HLLW.Deloder (Symantec),WORM_DELODER.A (Trend) |
||9 Mar 2003
||9 Mar 2003
||Drops a Backdoor
|The W32/HLLW.Deloader is a worm written in Visual C++ and compressed with ASpack. This worm propagates via networks, by scanning ranges of IP addresses using port 445 and trying to access shared network drives, both using default shares often found on Windows computers and by using a simple bruteforce methods on password protected shares. If the worm is successful, he uploads two components, one of which is a dropper for an IRC-controlled backdoor along with a VNC remote-desktop connection utility and a remote-execution program. The worm executes this dropper by utilizing a valid remote-program execution program. The worm creates registry keys to ensure it's run once the system has been infected.|
|This worm propagates via networks, where it scans for hosts using port 445 (default SAMBA port).
It also creates a run-key in the registry thus allowing it to be automatically executed on Windows startup.
the it drops two files psexec.exe and inst.exe.|
The psexec.exe file is a standard utility which has the ability to execute programs remotely which the worm uses among other things to try to delete default shares
The worm contains a small library containing a list of common passwords, found below,
which the Deloader worm utilizes to brute-force access to password protected network resources.
After gaining access to a host the worm the worm copies it self to the windows system directory under the name Dvldr32.exe
and tries to copy a backdoor under the name inst.exe to the following directories where %s is the name of the remote computer
\%s\C$\WINNT\All Users\Start Menu\Programs\Startup\
\%s\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\
The Inst.exe creates the two following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer = [c:\winnt\fonts\explorer.exe]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMan = [c:\winnt\fonts\rundll32.exe]
The files explorer.exe, onmithread_rt.dll and vnchooks.dll which are all dropped by the Inst.exe, are part of a remote-access desktop utility called VNC. Which due to the registry keys the Inst.exe creates, is started every time Windows starts.
Inst.exe also drops Cygwin1.dll and rundll32.exe where rundll32.exe is an IRC backdoor.
When rundll32.exe is executed it tries to connect to one of the following servers:
Analysis / Description: Sigurdur A. Stefnisson & Sindri Bjarnason - FRISK Software International