[an error occurred while processing this directive]

CurzTech News Network

CurzTech News NetworkCurzTech World NewsCurzTech U.S. NewsCurzTech Entertainment NewsCurzTech Political NewsCurzTech Conspiracy NewsYesterday's NewsOffsite Archive

OSAC Item (Printer Friendly Version) New Worm Cracks Passwords
from VNU Business Publishing on Tuesday, March 11, 2003

'Deloder' uses a list of 50 common passwords to attack machines running Windows A new worm is targeting Windows machines with weak administrator account passwords, an antivirus company has warned. The Deloder network worm, which originated in China, can install the VNC remote access tool onto compromised computers so that hackers can administer them remotely.

The worm scans random IP addresses, trying to locate Windows machines which have port 445 accessible.

Port 445 (Microsoft SMB over TCP/IP) is legitimately used to allow trusted outsiders to access Windows file shares.

Antivirus firm F-Secure said that corporates with firewall provision are unlikely to be at risk from the infection, which it rates as a 'medium' risk.

"Most corporate machines are protected with centralised or distributed firewalls, which would block access to this port," the company said.

"However, many home computers have this port visible to the world and are vulnerable to this worm if the local administrator account has a weak password."

Once a suitably vulnerable machine is found, the worm tries a brute force password attack to log on to the remote computer using the log-in name Administrator and trying 50 different passwords.

If any of the passwords are successful, the worm copies itself over to Startup folders and adds a key to the registry to automatically execute 'DVLDR32.EXE', which is another copy of the worm.

The 'INST.EXE' file creates several files into the compromised system including a VNC remote control server.

The utility 'psexec.exe' and an IRC backdoor are also added by the worm. When the machine is restarted, the infection starts to scan for new hosts to attack.

The worm tries the following passwords:

" (empty)
'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
'admin'
'Admin'
'password'
'Password'
'1'
'12'
'123'
'1234'
'12345'
'123456'
'1234567'
'12345678'
'123456789'
'654321'
'54321'
'111'
'000000'
'00000000'
'11111111'
'88888888'
'pass'
'passwd'
'database'
'abcd'
'abc123'
'oracle'
'sybase'
'123qwe'
'server'
'computer'
'Internet'"
'super'
'123asd'
'ihavenopass'
'godblessyou'
'enable'
'xp'
'2002'
'2003'
'2600'
'0'
'110'"
'111111'
'121212'
'123123'
'1234qwer'
'123abc'
'007'
'alpha'
'patrick'
'pat'
'administrator'
'root'
'sex'
'god'
'foobar'
'a'
'aaa'
'abc'
'test'
'test123'
'temp'
'temp123'
'win'
'pc'
'asdf'
'secret'
'qwer'
'yxcv'
'zxcv'
'home'
'xxx'
'owner'
'login'
'Login'
'pwd'
'pass'
'love'
'mypc'
'mypc123'
'admin123'
'pw123'
'mypass'
'mypass123'
'pw'

© 1995-2003 VNU Business Publications Ltd. All rights reserved

[an error occurred while processing this directive]