March 9th, 2003 05:43 PM
*Heads Up* WORM_DELODER.A
As of March 9, 2:49 AM (US Pacific Time), a significant number of infection reports have reached TrendLabs regarding this new Internet worm, which has been found to be rapidly spreading in China.
This network worm uses the valid utility, PSEXEC.EXE, to connect to remote machines on the same network. It attempts to log on to remote machines as administrator using several passwords listed in its body. It connects via TCP port 445.
It drops a copy of itself as Dvldr32.exe and a backdoor program as INST.EXE on accessible machines.
This worm, which runs on Windows 2000 and XP, disables hidden remote shares.
March 9th, 2003 08:05 PM
And evidentally, it's nasty. Incidents is now Yellow and showing huge scanning for port 445. I hate to think what tomorrow will be like when all the admins come in to unpatched systems.
March 10th, 2003 10:57 AM
" The Harbin Institute of Technology & Antiy United Cert Group has a good technical writeup . It covers files involved, registry keys modified, and how to kill off the worm."
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes