Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Worm_deloder.a

  • 09-03-2003 3:48pm
    #1
    Closed Accounts Posts: 8,478 ✭✭✭


    From and TREND email bulletin

    As of March 9, 2:49 AM (US Pacific Time), a significant number of infection
    reports have reached TrendLabs about this new Internet worm, which has bee
    n found to be rapidly spreading in China.

    This worm usually arrives bearing the file name, Dvldr32.exe. It uses t
    he valid network utility, psexec.exe, to connect to remote machines via p
    ort 445.

    To gain full access, it tries to log on as administrator by trying password
    s from a fixed list.

    If the logon attempt is successful, it drops a copy of itself on target mac
    hines with a read-only attribute. On remote machines, it drops a backdoor
    program with the file name, inst.exe, on the following startup folders:


    \%s\C$\WINNT\All Users\Start Menu\Programs\Startup\
    \%s\C\WINDOWS\Start Menu\Programs\Startup\
    \%s\C$\Documents
    Settings\All Users\Start Menu\Programs\Startup\

    (Note: %s is the network name of the remote machine.)

    To enable its automatic execution, this worm creates the following autorun
    registry entry so that its copy executes at every Windows startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    messnger = Dvldr32.exe

    This worm, which runs on Windows 2000 and XP, also disables remote shares.

    WORM_DELODER.A is detected by pattern file 480.

    For more information on WORM_DELODER.A please visit our Web site at:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WOR


Advertisement