Operating System » MS Windows » Windows - Virus Protection » Alert: Computer Virus Outbreaks » Deloder Computer Virus

W32/Deloder.worm (raddrv.dll)


Deloder (w32.deloder.a) does not spread using e-mail; rather, it scans the Internet looking for open 445 TCP/IP ports.  Deloder carries an infected version of a commonly available network remote administration tool, and an Internet Relay Chat (IRC) bot.  Remote administration tools can be used for legitimate remote access purposes, but used within the context of this worm, it is considered to be a Trojan horse. Because Deloder spreads via shared network connections and could cause future damage to files and systems alike.


Also known as Deloder (F-Secure), dlvdr32.exe, W32.HLLW.Deloder (Symantec), W32/Deloder-A (Sophos), Worm.Win32.Deloder (AVP), WORM_DELODER.A (Trend).


This worm uses TCP port 445, also known as the Microsoft-DS port, to connect to remote machines. It first generates random IP address and then attempts to connect to remote machines on the IP addresses using list of passwords.


On infection, it drops the following files into the system folder:



  • dialer.exe (this file name varies)

  • raddrv.dll

  • AdmDll.dll

It does not create autostart registry entries.   Dialer.exe, better known as RAdmin.21 (Remote Administrator server v2.1), is actually a server component of a legitimate Remote Administrator Tool. This tool works on Windows 2000 and XP platform and runs using "Remote Administrator service" or sometimes "Net Logon Management" as its service name.


Once this service is active, a remote user running the client component is able to see what is displayed on the infected machine. In addition, all mouse movements and keystrokes are transferred directly to the remote system.   The other files, raddrv.dll and AdmDll.dll, are normal components of the tool and function solely for its processes and installation.


Manual Removal


Look for the above rogue service and stop/disable it.


Search and delete the registry for r_admin key.


Also, HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesraddrv key


Deloder in the news:


The latest Internet worm infects Windows NT/2000/XP Professional machines with two Trojan horses and leaves infected systems open for use in future distributed denial-of-service (DDoS) attacks.  March 2003, ZDNet, USA.


 

Updated On: 04.07.01

Tagged By: Re: HijackThisLog Analysis - Costexx, Re: HijackThisLog Analysis - Nick.

Leave your message, comment or feedback:
Your Name (shown) & Your E-mail (hidden) is used only to alert you when someone reply your message.