My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.HLLW.Deloder.A

LOW
LOW
729 KB
(N/A)

Symptoms

Value "messnger" containing the path to the worm executable in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Removal instructions:

Automatic removal: let BitDefender delete the files found infected with this worm, or its dropped backdoor.

Analyzed By

Mihai Neagu BitDefender Virus Researcher

Technical Description:

The worm will run only on NT platforms: Windows NT 4, Windows 2000 or
Windows XP, because it uses functions of the "netapi32.dll" library.
The worm tries to access random IP addresses on port 445, that is, it
tries to connect to remote computers by TCP/IP on the network or on the
Internet, and if succedes, it runs "psexec.exe", a non-virus tool to
copy and execute itself on the remote computer.
It's file name may change to "Dvldr32.exe" when copied to destination.
Also it drops a file "inst.exe" that is Backdoor.Deloder.A and puts it
in the "Start Menu\Programs\Startup" on the remote computers.
In its connection attempts, the worm uses passwords from the following
dictionary:
"" (no password)
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"admin"
"Admin"
"password"
"Password"
"1"
"12"
"123"
"1234"
"12345"
"123456"
"1234567"
"12345678"
"123456789"
"654321"
"54321"
"111"
"000000"
"00000000"
"11111111"
"88888888"
"pass"
"passwd"
"database"
"abcd"
"abc123"
"oracle"
"sybase"
"123qwe"
"server"
"computer"
"Internet"
"super"
"123asd"
"ihavenopass"
"godblessyou"
"enable"
"xp"
"2002"
"2003"
"2600"
"0"
"110"
"111111"
"121212"
"123123"
"1234qwer"
"123abc"
"007"
"alpha"
"patrick"
"pat"
"administrator"
"root"
"sex"
"god"
"foobar"
"a"
"aaa"
"abc"
"test"
"test123"
"temp"
"temp123"
"win"
"pc"
"asdf"
"secret"
"qwer"
"yxcv"
"zxcv"
"home"
"xxx"
"owner"
"login"
"Login"
"pwd"
"pass"
"love"
"mypc"
"mypc123"
"admin123"
"pw123"
"mypass"
"mypass123"
"pw"