Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software
Deloder Worm
Worm uses easily guessed passwords to crack system
 Related Resources
• Virus Encyclopedia
• Glossary of terms
 
 Elsewhere on the Web
• F-Secure Description
 

Discovered March 9, 2003, the Deloder worm spreads over the Internet to Windows 2000 and XP systems via TCP port 445. If Microsoft SMB over TCP\IP is disabled, or a good firewall employed, or strong password protection used, the worm will be unable to access/infect the system. The Deloder worm attempts to break into systems using easily guessed passwords, including empty passwords and those comprised entirely of lower case x. According to antivirus vendor F-Secure, other passwords guessed by the worm include: 

 "admin"
 "Admin"
 "password"
 "Password"
 "1"
 "12"
 "123"
 "1234"
 "12345"
 "123456"
 "1234567"
 "12345678"
 "123456789"
 "654321"
 "54321"
 "111"
 "000000"
 "00000000"
 "11111111"
 "88888888"
 "pass"
 "passwd"
 "database"
 "abcd"
 "abc123"
 "oracle"
 "sybase"
 "123qwe"
 "server"

 "computer"
 "Internet"
 "super"
 "123asd"
 "ihavenopass"
 "godblessyou"
 "enable"
 "xp"
 "2002"
 "2003"
 "2600"
 "0"
 "110"
 "111111"
 "121212"
 "123123"
 "1234qwer"
 "123abc"
 "007"
 "alpha"
 "patrick"
 "pat"
 "administrator"
 "root"
 "sex"
 "god"
 "foobar"
  "a"

 "aaa"
 "abc"
 "test"
 "test123"
 "temp"
 "temp123"
 "win"
 "pc"
 "asdf"
 "secret"
 "qwer"
 "yxcv"
 "zxcv"
 "home"
 "xxx"
 "owner"
 "login"
 "Login"
 "pwd"
 "pass"
 "love"
 "mypc"
 "mypc123"
 "admin123"
 "pw123"
 "mypass"
 "mypass123"
 "pw"

Once an infectable system has been accessed, Deloder creates copies of itself in various folders and adds a registry key that will cause the worm to be executed when the system is rebooted. Deloder also drops an IRC trojan into the Windows directory \fonts folder.

Deloder also deletes certain common Windows shares. Ordinarily, these shares are automatically reinstated by the operating system when the machine is rebooted. However, if the system is actively infected by the Deloder worm, rebooting the system will reload the worm and re-delete the shares. Once the worm has been removed properly, a system reboot should restore the previously deleted shares. Though Deloder cannot infect from machines other than Windows NT, 2000, and XP, it can drop copies of itself to other Windows operating system, i.e. Windows 95/98 and ME.

Antivirus software updated March 9, 2003 or later should have no difficulty detecting and removing this worm.

Subscribe to the Newsletter
Name
 Email

Explore Antivirus Software
About.com Special Features

Holiday Central

What to eat, where to go, fun things to do and how to save money on the perfect gifts. More >

Family Tech Center

Stay connected and entertained with reviews on tips on the latest HDTVs, cellphones and more. More >

Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software

©2009 About.com, a part of The New York Times Company.

All rights reserved.