high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing worms.
Windows NT/2000/XP
In Windows NT/2000/XP you will also need to edit the following registry entries.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
messnger = <pathname of worm>
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Explorer = %Fonts%\explorer.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
TaskMan = %Fonts%\rundll32.exe
and delete them if they exist.
Close the registry editor.
More Information
W32/Deloder-A is a network worm which spreads to random IP addresses and installs a backdoor Trojan.
When first run, the worm drops the files Psexec.exe and inst.exe to the current folder and creates the following registry entry so that the worm executable is run automatically each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
messnger = <pathname of worm>
The worm attempts to connect to port 445 of target computers. This is the NetBIOS port for Windows 2000 and XP, hence the worm is only likely to spread to computers running Windows 2000 or XP.
W32/Deloder-A copies itself to shares on the remote computer as Dvldr32.exe and tries to install a backdoor Trojan component inst.exe to the startup folders
C$\WINNT\All Users\Start Menu\Programs\Startup\
C\WINDOWS\Start Menu\Programs\Startup\
C$\Documents and Settings\All Users\Start Menu\Programs\Startup\inst.exe
so that inst.exe is run automatically each time the target computer is restarted.
W32/Deloder-A queries the remote computer for a valid username and then attempts to logon using a brute force method to crack the password. This involves trying a list of common 'weak' passwords.
If the worm is unable to get a valid username it attempts to logon via the IPC$ share.
The worm uses the valid utility Psexec.exe to remotely set the attributes for inst.exe and Dvldr32.exe to read-only, to launch inst.exe and Dvldr32.exe and to disable the network shares C$, D$, E$, F$, IPC$ and ADMIN$.
When run, the backdoor component inst.exe drops the files explorer.exe, VNCHooks.dll, omnithread_rt.dll and rundll32.exe to the Fonts folder and cygwin1.dll to the System32 folder. It also creates the following registry entries so that both explorer.exe and rundll32.exe are run automatically on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Explorer = %Fonts%\explorer.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
TaskMan = %Fonts%\rundll32.exe
%Fonts%\rundll32.exe is a backdoor Trojan which allows unauthorized access to the computer via IRC channels.
Each time %Fonts%\rundll32.exe is run the Trojan tries to connect to a remote IRC server and join a specific channel.
%Fonts%\rundll32.exe then runs in the background as a server process, listening for commands to execute.
%Fonts%\explorer.exe is the valid application 'VNC server for Win32'.
The worm will only run on Windows 2000 and XP operating systems, but the backdoor components will also run on Windows 95/98/Me and Windows NT.
|
