Home / malware

PDF

Win32.HLLW.Deloder.A

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.HLLW.Deloder.A is also known as N/A.

Explanation :

The worm will run only on NT platforms: Windows NT 4, Windows 2000 or
Windows XP, because it uses functions of the "netapi32.dll" library.
The worm tries to access random IP addresses on port 445, that is, it
tries to connect to remote computers by TCP/IP on the network or on the
Internet, and if succedes, it runs "psexec.exe", a non-virus tool to
copy and execute itself on the remote computer.
It's file name may change to "Dvldr32.exe" when copied to destination.
Also it drops a file "inst.exe" that is Backdoor.Deloder.A and puts it
in the "Start MenuProgramsStartup" on the remote computers.
In its connection attempts, the worm uses passwords from the following
dictionary:
"" (no password)
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"admin"
"Admin"
"password"
"Password"
"1"
"12"
"123"
"1234"
"12345"
"123456"
"1234567"
"12345678"
"123456789"
"654321"
"54321"
"111"
"000000"
"00000000"
"11111111"
"88888888"
"pass"
"passwd"
"database"
"abcd"
"abc123"
"oracle"
"sybase"
"123qwe"
"server"
"computer"
"Internet"
"super"
"123asd"
"ihavenopass"
"godblessyou"
"enable"
"xp"
"2002"
"2003"
"2600"
"0"
"110"
"111111"
"121212"
"123123"
"1234qwer"
"123abc"
"007"
"alpha"
"patrick"
"pat"
"administrator"
"root"
"sex"
"god"
"foobar"
"a"
"aaa"
"abc"
"test"
"test123"
"temp"
"temp123"
"win"
"pc"
"asdf"
"secret"
"qwer"
"yxcv"
"zxcv"
"home"
"xxx"
"owner"
"login"
"Login"
"pwd"
"pass"
"love"
"mypc"
"mypc123"
"admin123"
"pw123"
"mypass"
"mypass123"
"pw"

Last update 21 November 2011

 

TOP