TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_DELODER.A
Overview
Solution

Malware type: Worm

Aliases: Worm.Win32.Deloder.a (Kaspersky), W32/Deloder.worm (McAfee), W32.HLLW.Deloder (Symantec), Worm/Deloder.A.1 (Avira), W32/Deloder-A (Sophos), Worm:Win32/Deloder.A (Microsoft)

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows 2000/XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

This worm uses the valid utility, PSEXEC.EXE, to connect to remote machines. It attempts to log on to the machines as administrator using several passwords listed in its body. It connects via TCP port 445 and drops a copy of itself as Dvldr32.exe and a backdoor program as INST.EXE on accessible machines.

The backdoor component, which is detected by Trend Micro antivirus as BKDR_DELODER.A, installs several legitimate network and remote access tools to allow remote users to access and manipulate affected machines.

This worm, which runs on Windows 2000 and XP, attempts to remove the following network shares:

  • ADMIN$
  • IPC$
  • C$
  • D$
  • E$
  • F$

For additional information about this threat, see:
Solution
Technical Details

Description created: Mar. 9, 2003 3:02:00 AM GMT -0800
Description updated: Mar. 9, 2003 12:15:55 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.