Deloder worm has resurfaced. Watch your privacy!

From: Kyle Lai (kyle@kylelai.com)
Date: 03/28/03

• Next message: Barry Margolin: "Re: is the netbios-ssn port a security threat"
• Previous message: Anne & Lynn Wheeler: "Re: Security Certifications?"
• Next in thread: Nick FitzGerald: "Re: Deloder worm has resurfaced. Watch your privacy!"
• Reply: Nick FitzGerald: "Re: Deloder worm has resurfaced. Watch your privacy!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: kyle@kylelai.com (Kyle Lai)
Date: 28 Mar 2003 09:07:08 -0800

DeLoder worm has resurfaced during the past several days. Here are
some info missed by many anti-virus analyses...

Deloder worm leaves a VNC (free remote control software) service
running on the infected systems, and it also set a VNC password, which
eventually allowed anyone with malicious intent (hackers) to get in
via VNC. There are tens of thousands of Windows 2000 & XP systems out
there that are infected with Deloder (according to CERT, possibly
140,000 on 3/17/2003).

The password that was set by Deloder was cracked by KLC Consulting
Security Team, and the information is available in the article below.
With this password in hand, anyone can detect (not too difficult) and
connect to infected systems and watch the computer screen, take over
the keyboard and mouse control, or just spy on every single keystroke
and mouse move by the infected users. Watch out, and protect your
privacy!

The article below also has methods of detection, fixes, and
recommendation for protections against future worm/Trojan attacks.

An updated Deloder worm analysis is available at URL is at
http://www.klcconsulting.net/deloder_worm.htm

---

• Next message: Barry Margolin: "Re: is the netbios-ssn port a security threat"
• Previous message: Anne & Lynn Wheeler: "Re: Security Certifications?"
• Next in thread: Nick FitzGerald: "Re: Deloder worm has resurfaced. Watch your privacy!"
• Reply: Nick FitzGerald: "Re: Deloder worm has resurfaced. Watch your privacy!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Deloder worm has resurfaced. Watch your privacy! ... DeLoder worm has resurfaced during the past several days. ... Deloder worm leaves a VNC (free remote control software) service ... connect to infected systems and watch the computer screen, ... (microsoft.public.win2000.security) RE: unidentified DOS "bad traffic" -- SOLVED ... I did an analysis on the DeLoder worm a few days ago, ... whole section of registry entries for VNC, which included the VNC password, ... The in-depth Deloder worm analysis is available at ... (Incidents) RE: unidentified DOS "bad traffic" -- SOLVED ... After running the Deloder's VNC server password through the VNC password ... the VNC password that was set by the Deloder worm, ... For a the list of VNC related registry keys and values, ... (Incidents)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.misc  > 2003-03