Re: Something installed WinVNC on my computer!
From: Feher Tamas (etomcat@freemail.hu)
Date: 03/10/03
- Next message: Lord Shaolin: "Re: Annoying http:/***"
- Previous message: Valdoran: "Annoying http:/***"
- In reply to: Johan Ditmar: "Something installed WinVNC on my computer!"
- Next in thread: thund3rstruck: "Re: Something installed WinVNC on my computer!"
- Reply: thund3rstruck: "Re: Something installed WinVNC on my computer!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Feher Tamas" <etomcat@freemail.hu> Date: Mon, 10 Mar 2003 12:45:58 +0100
Huge sized new worm virus called DeLoader carries VNC inside. Look here:
http://www.f-secure.com/v-descs/deloader.shtml
NAME: Deloder
ORIGIN: China
SIZE: 745984
THIS VIRUS IS RANKED AS LEVEL 2 ALERT BY F-SECURE.
Deloder is a network worm infecting Windows machines which have set a weak
password to the "Administrator" account. It also installs remote access tool
VNC, opening the computer to the world.
The worm scans random IP addresses, trying to locate Windows machines which
have port 445 accessible. Port 445 (Microsoft SMB over TCP/IP) allows
outsiders to access Windows file shares.
Most corporate machines are protected with centralized or distributed
firewalls, which would block access to this port. However, many home
computers have this port visible to the world and are vulnerable for this
worm if the local administrator account has a weak password.
Once a suitable machine is found, the worm tries to log on to the remote
computer using login name Administrator and by trying 50 different
passwords:
"" (empty)
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"admin"
"Admin"
"password"
"Password"
"1"
"12"
"123"
"1234"
"12345"
"123456"
"1234567"
"12345678"
"123456789"
"654321"
"54321"
"111"
"000000"
"00000000"
"11111111"
"88888888"
"pass"
"passwd"
"database"
"abcd"
"abc123"
"oracle"
"sybase"
"123qwe"
"server"
"computer"
"Internet"
"super"
"123asd"
"ihavenopass"
"godblessyou"
"enable"
"xp"
"2002"
"2003"
"2600"
"0"
"110"
"111111"
"121212"
"123123"
"1234qwer"
"123abc"
"007"
"alpha"
"patrick"
"pat"
"administrator"
"root"
"sex"
"god"
"foobar"
"a"
"aaa"
"abc"
"test"
"test123"
"temp"
"temp123"
"win"
"pc"
"asdf"
"secret"
"qwer"
"yxcv"
"zxcv"
"home"
"xxx"
"owner"
"login"
"Login"
"pwd"
"pass"
"love"
"mypc"
"mypc123"
"admin123"
"pw123"
"mypass"
"mypass123"
"pw"
If the login succeeds, the worm copies itself over (usually as "INST.EXE")
to several Startup folders and adds a key to registry to automatically
execute "DVLDR32.EXE" (which is another copy of the worm).
When the machine is restarted, the worm starts to scan for new hosts to
infect.
The main binary of the worm is packed with ASPack, once executed it drops
"psexec.exe" and "inst.exe".
The INST.EXE file drops several files into the system. A VNC server composed
of the following files:
cygwin1.dll
explorer.exe
omnithread_rt.dll
VNCHooks.dll
The utility:
psexec.exe (UPX packed, from sysinternals)
And an IRC backdoor, which will connect to servers from a list of 13, as:
rundll32.exe (UPX packed)
A side effect of the infection can be that shared folders might not be
shared anymore.
This worm was found around noon GMT on Sunday 9th of March, 2003.
F-Secure Anti-Virus detects this worm with the updates published on March
9th, 2003:
[FSAV_Database_Version]
Version=2003-03-09_01
[F-Secure Corp, 9th of March 2003]
- Next message: Lord Shaolin: "Re: Annoying http:/***"
- Previous message: Valdoran: "Annoying http:/***"
- In reply to: Johan Ditmar: "Something installed WinVNC on my computer!"
- Next in thread: thund3rstruck: "Re: Something installed WinVNC on my computer!"
- Reply: thund3rstruck: "Re: Something installed WinVNC on my computer!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
