Alert: New Worm - W32/Deloder on TCP445

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 03/10/03

Next message: Russ: "Alert: New Code Red F worming its way through the 'net"

Previous message: Bowden, Zeb: "W2K Roaming Profiles security concern?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Mon, 10 Mar 2003 01:54:12 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Our Director of Malcode Research, Roger Thompson, has been monitoring
the rapid increase in activity of the W32/Deloder worm;

http://www.wormwatch.org
(Note: We're looking for someone in each country to run WormCatcher,
drop me a note if you're interested and outside of North America)

This worm, similar to previous worms on TCP445, spreads via network
shares. Most corporate environments should be protected because they are
not allowing untrusted connections into their network, however, he's
identified a couple of scenarios where this may happen.

1. Machines connected to raw Internet connections when out of the
corporate environment, either at home or while traveling, which are then
brought back into the corporate network.

2. Machines which use VPN connections into the corporate network but are
not properly protected from the raw Internet.

Update your AV definitions and ensure such machines receive appropriate
protection, as in Personal Firewalls and active AV.

http://vil.nai.com/vil/content/v_100127.htm
http://www.Europe.F-Secure.com/v-descs/deloader.shtml
http://www.sarc.com/avcenter/venc/data/w32.hllw.deloder.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DEL
ODER.A
http://www.sophos.com/virusinfo/analyses/w32delodera.html

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Have you discovered a security vulnerability related to Windows or a
commercial product which runs on Windows?

Need assistance crafting the format or translating your advisory to English?

Need to verify it, or having problems contacting the Vendor?

Contact mailto:Advisories@NTBugtraq.com

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

Next message: Russ: "Alert: New Code Red F worming its way through the 'net"

Previous message: Bowden, Zeb: "W2K Roaming Profiles security concern?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Port TCP/IP 445
... This worm, similar to previous worms on TCP445, spreads via network ... Machines connected to raw Internet connections when out of the ... Machines which use VPN connections into the corporate network but are ...
(microsoft.public.win2000.security)
RE: DoS worm
... From your description your six machines are now compromised by a random ... some capture logs of the SSH connections, the SYN flooding and the SMB ... Subject: DoS worm ... which I was able to pick out the string "IPC". ...
(Incidents)
Re: Port TCP/IP 445
... Most corporate environments should be protected because they are ... Machines connected to raw Internet connections when out of the ... Machines which use VPN connections into the corporate network but are ...
(microsoft.public.win2000.security)
RE: [fw-wiz] Worms, Air Gaps and Responsibility
... similar connections (yes some stuff is/can be built in by design but buffer ... >Cisco routers and HP printers. ... I had $20 on a worm that spreads through ...
(Firewall-Wizards)
Re: Help - Port 80 being targeted
... > connections [you could double-check this in the IIS MMC in the section on ... but you can attempt to keep a worm ... > IIS, especially the parts about deleting unnecessary files. ... >> I have a webserver running on Port 80. ...
(comp.security.firewalls)