Countering Microsoft W32.Deloder Worm

There have been numerous reports of the W32.Deloder Worm spreading throughout the Internet and affecting Microsoft Windows 2000 systems. This worm is using destination port TCP 445 to spread and scans for unprotected shares on Windows 2000 systems. When this worm finds a system it can compromise, it tries to install a backdoor on the system known as Backdoor.Dvldr to give the hacker remote administration. Your antivirus applications may also report that an infected system is infected with backdoor-jz.

Solution

There's not a lot of information about this worm yet. The solution is to block all inbound and outbound packets with destination port TCP 445 at either the firewall or the border router. In addition to blocking TCP 445, you should also block other common Microsoft ports (135 - 139) if they are not used for conducting business.

References:

CERT Advisory #36888: W32.Deloder Worm
http://www.cert.org/advisories/CA-2003-08.html

Sans Information:
http://wiki.sans.org/tiki-index.php?page=DeloderWorm
http://isc.sans.org/port_details.html?port=445

Sans Tracking:
http://isc.sans.org/

Service & Support

• Technical Support
• Knowledge Portal
• Product Manuals
• Resource Center
• Training
• Support Services
• Warranty
• Repair
• Recertification