Worm could be clearing path for DDoS attack

The Deloder worm is beginning to spread slowly on the Internet - leaving two Trojan horse programs in its wake
Written by Patrick Gray, Contributor

A new worm that leaves behind two Trojan horse programs has begun spreading over the Internet, and may be paving the way for a crippling distributed denial of service (DDoS) attack.

The virus -- dubbed WORM_DELODER.A -- has made its way into a large number of machines in China, Japan, Taiwan, Singapore, Hong Kong and the US, Trend Micro said in a statement.

It exploits a loophole in TCP port 445, otherwise known as the Microsoft-DS port, to log on to remote machines as an administrator using a fixed list of passwords.

This worm runs on Windows 2000, XP, and the Server 2003 family. It usually arrives as the file Dvldr32.exe. When executed on the said platforms, it extracts the valid network utility, PSEXEC.EXE by SysInternals, into the directory where it is executed.

If the logon attempt is successful, the worm then drops and executes a read-only copy of itself on the target machine in the Windows system folder as Dvldr32.exe.

Although the experts are not yet rating the Deloder worm as a high risk to users, the technical make-up of the Trojans it leaves behind is of concern. They consist of a commonly used piece of network administration software called Virtual Network Computing (VNC), and an Internet Relay Chat (IRC) "bot".

The VNC component allows an attacker to connect to an infected system and control it as if they were in front of it. They have full access through a graphical user interface.

The IRC bot, when activated, connects to a remote server and waits for commands, which could mean that infected systems are going to be used for a massive DDoS attack.

This worm, unlike others such as Klez, requires no user interaction to spread -- it exploits common passwords, such as "password" and "computer", in share directories in Windows NT/2000/XP machines and hence spreads automatically.

However because the virus attacks through weak share directory passwords, the effect on corporations has been minimal because share directories are typically firewalled.

Daniel Zatz, a security spokesman from Computer Associates, says that they haven't received any reports of their customers being infected yet.

"Very little has been reported to the [antivirus] vendors themselves... I haven't spoken to any customers that have been impacted yet," he said.

Aside from potential DDoS implications, Zatz says that end users may be stung through identity theft -- even a novice malicious hacker can access an infected system with ease.

"This is one of the ways that identity theft occurs," he said.

Despite this, Melbourne-based security consultant Adam Pointon says that the worm is hitting home users hard.

"It's been increasing threefold over the last few days," he said.

The SANS Institute's Internet Storm Centre, a research group that monitors the Internet for attacks, have lifted its alert status from green to yellow. More information is available on SANS' Web site.

CNET Asia staff contributed to this report.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.

Editorial standards