News

Deloader worm targets weak passwords

Anti-virus companies have warned that a worm on the internet targets computers running the Microsoft Windows operating system, using easy-to-guess passwords for the Administrator account.

The worm, W32/Deloader-A (Deloader), appeared on Sunday (9 March) and is considered a low risk for infection, according to an alert posted by F-Secure.

Deloader, believed to have originated in China, attempts to connect to other computers on a network through TCP (Transmission Control Protocol) port 445, randomly generating IP (Internet Protocol) addresses to locate vulnerable machines.

Port 445 is used to access shared files on Windows machines with the SMB (Server Message Block) protocol.

When a vulnerable Windows machine is located, the worm attempts to log on to the machine's Administrator account by trying 50 likely passwords such as "admin", "password", "12345" and "administrator", F-Secure said.

If the worm succeeds in breaking the Administrator account password, it places copies of a backdoor, (trojan) program known as "inst.exe" in several locations on the infected machine.

The worm also modifies the machine's registry to run another copy of itself, "DVLDR32.EXE", according to advisories from F-Secure, Sophos and Symantec.

Machines running Windows 95, 98, NT, 2000, ME and XP are vulnerable to attack by Deloader, Symantec said.

No infections from Deloader have been reported and most firewalls block access to port 445. Many home computers without firewalls may be vulnerable to the worm.

Most antivirus companies posted updated virus definitions to detect the Deloader worm, as well as utilities to remove the worm from infected machines.


 

COMMENTS powered by Disqus  //  Commenting policy