New Windows Worm Inching Around Internet

helixcode123 writes "The Register is reporting a Windows Worm that takes advantage of weak default passwords. This looks pretty nasty, as it mucks with the registry and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.

Re:What were those commons passwords in Hackers?

[mumkin]

According to F-secure, these are the passwords it tries :

[empty], xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, admin, Admin, password, Password, 1, 12, 123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 654321, 54321, 111, 000000, 00000000, 11111111, 88888888, pass, passwd, database, abcd, abc123, oracle, sybase, 123qwe, server, computer, Internet, super, 123asd, ihavenopass, godblessyou, enable, xp, 2002, 2003, 2600, 0, 110, 111111, 121212, 123123, 1234qwer, 123abc, 007, alpha, patrick, pat, administrator, root, sex, god, foobar, a, aaa, abc, test, test123, temp, temp123, win, pc, asdf, secret, qwer, yxcv, zxcv, home, xxx, owner, login, Login, pwd, pass, love, mypc, mypc123, admin123, pw123, mypass, mypass123, pw

the pat / patrick is rather weird, eh? only name in the list.

Re:White-hat worm?

[tedrlord]

Read the article. In addition to turning off file sharing, it installs a backdoor into the system.

Re:Microsoft's fault?

[lavalyn]

Go look at your computer's C$ share. This is the default share on a fresh 2K install.

Even if it requires local admin accounts to access this share, just that it is available, and HIDDEN, is a grave security fault!

not in there?

[ackthpt]

And how many people really have 42 x's as their password?

What's the maximum or mininum limit for password? I generally go with 6-8 with a combination of letters and numbers, often defering to foreign languages, rather than english.

I was surprised that it didn't include:

Months (i.e. january, february, ...) since I catch people using those a lot

system (i.e. another favorite)

xyzzy

plugh

Tho I do not 'foobar' is in there, but I generally use that on internet sites where I could care less if someone assumes my identity.

Real Info on this Worm

Multidropper/dropper is nasty, I am coming off of an entire weekend chasing this hunk of code.

1. Once on the system it disables personal security/firewall/virus scanning
2. Copies itself to the start up group
3. With virus scanning disabled it drops several nasty bugs.
4. Network traffic/processor utilization goes thru the roof.
5. It then tries to replicate on the next machine...
next DAT release on the 12th will include that def.

Good Luck
McAfee has an extra.dat that fights it, the

Re:ummm....

[targo]

You can configure Windows to do the same. At my workplace the policy is rather strict, so it actually takes some effort to come up with a good password.

Re:Microsoft's fault?

[shamilton]

It's not hidden in nt/2k/xp. Though when you try to delete it, you get told it's there and necessary for administrative purposes.

Re:Choose your weapons...Uh, I pick Blame!

[NetJunkie]

Complex password checkings is an included feature. It's easily enabled.

Re:What were those commons passwords in Hackers?

[LBArrettAnderson]

if the hackers need any help, here are the most common passwords for my website:

password, mypassword, asdf, fdsa, [the user's username], [the user's username backwards], guitar, qwerty, starwars, [the user's first name], [the user's last name], [the user's initials], internet, love, 12345 (spaceballs...), mercedes, batman, superman, ilove[insert name of opposite sex], [username]420, computer.

9.1% of passwords are "password", 2.6% of passwords are the username, 1.7% of passwords are the user's first name.

hope that helps!

Re:Microsoft's fault?

[roolmarty]

From Technet article 318751 (HOWTO: Remove Administrative Shares in Windows 2000):

To remove automatic creation of the administrative shares by using Registry Editor:

• Start Registry Editor (Regedt32.exe).
• Locate and then click the following key in the registry:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LanmanServer\Parameters\AutoShareServer

• Change the value of the AutoShareServer key to zero (0).
  NOTE: A setting of zero (0) prevents the administrative shares, such as C$, D$, and Admin$ from being created automatically.
• Quit Registry Editor.

NOTE: If the AutoShareServer key does not exist, create the AutoShareServer key by using the following steps:

• Locate and then click the following key in the registry:
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\LanmanServer\Parameters
• On the Edit menu, click Add Value.
• Type AutoShareServer, click REG_DWORD, and then click OK.
• Type 0, and then click OK.
• Quit Registry Editor, and then restart the computer.

And... From 314984 (HOWTO: Create and Delete Hidden or Administrative Shares on Client Computers) (This is for Windows XP, W2K Pro, WinNT4 Workstation)

To delete the hidden administrative shares for all root partitions and volumes (such as C$) and the system root folder (ADMIN$) and prevent Windows from re-creating them, add an AutoShareWks DWORD value to the following registry key and set its value data to 0:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LanmanServer\Parameters

These get rid of those pesky administrative shares.

Re:SAMBA protocol

[sn0wman3030]

Just so we're clear, SAMBA is not a protocol. The protocol you are thinking of is SMB (Server Message Block). Samba allows unix users to use SMB. Here's some info.

Re:Microsoft's fault?

[SomeGuyFromCA]

Nice, but I actually find the shares convenient at times. For instance, suppose I've taken my computer to my friend's house. I've got some mp3s he wants to play, but alas I have brought only my headphones. I could get up and go all the way over to my computer, but instead I can just open \\mycomputer\D$ and enter the password when it asks. No need to point out security implications.

So set up a share for your mp3s, set only to that directory, marked remote read only. Just as easy when it's done and much more secure.

Re:Microsoft's fault?

[IDIIAMOTS]

Any local account without a password in Windows XP is prohibited from remotely connecting to that machine.

Users pick bad passwords, sigh

[bigberk]

It is unfortunate that users often pick weak passwords. One of the student Win2K servers we run at our university got hacked because a remote attacker guessed a local password (=$username). However, we did learn one thing from the experience - we (or rather, I) firewalled our LAN from the internet behind a linux box. It could have been a BSD box, or a Linksys router -- who cares. This is kind of OT anyway.

I firmly believe that the more heterogeneous we keep the mix of systems running on the internet, the more resilient the internet will be to any type of attack. It's like an ecological system in which different beasts catch different bugs -- but hardly ever do they all catch the same bug in the same way, at the same time. Now isn't that smart? I really think the United States and other concerned countries should invest in encouraging diversity of computer systems in order to reduce general vulnerability to a 'cyberterrorism' or whatever attacks.

In either case, to see how our Internet is currently faring check out the Internet Storm Center. Increased probes from this worm were immediately visible on the site. Also worth a read is McAfee's details on this worm.

Re:He was right!

[JWSmythe]

Funny this, but "God" specifically doesn't show up in this set of 260k users.. But there are 143 words containing "god".. Here are the top ones. :)

22 godzilla
5 godfathe
4 goddess
3 godsmack
3 gods
3 godiva
2 sungod
2 netgod
2 iamgod
2 goodgod

There were 294 words with "sex" in them, the top ones are:

84 sexy
25 sexx
17 sexsex
8 sexual
7 sexo
6 sexe
5 sussex
5 sextoy
5 sex4me
5 ilovesex

And 278 with "love" in it..

86 love
33 lover
21 lovers
14 loveme
13 iloveyou
10 loveit

Oddly enough, root came in very low.. The highest one is "rootbeer" with 7.. That'd make it ranking around 3540.. I feel unloved.. If one person had "iloveroot", that would have made my day. :)

Re:What were those commons passwords in Hackers?

[MegaFur]

I don't get it. Most times, windoze lets you look through workgroups and choose the one you want to browse them *graphically* (double-click). So there's no need to count the "_"'s. I suspect that your plan worked mostly 'cause you changed the workgroup to something other than "WORKGROUP" and a lot of people didn't think to look for workgroups with anything other than the default name.

But if I did want to count the "_"'s, I could:
1) I copy the "_"'s to the clipboard.
2) I open notepad and paste the "_"'s.
3) I count them. (= 10)

(Note: this is also a handy way to distinguish all of 'l10O' which can be hard to tell in some fonts.)

But that was a general windoze solution. If Unix utilities are available, I could run `wc' (WordCount) with no input, then paste the "_"'s in, then type [ENTER], CTRL+D and word count would tell me how many chars are there.

Yes, I know I'm being geeky an petty, but this is slashdot and I feel I should be allowed.

A bit more detail

[Black+Copter+Control]

Cantral Command (also known as the Vexira Anti-Virus people have a good bit more detail -- including a password list. If historical data is any indication, I'd expect about a 10-20% hit ratio just with the password 'password' (and simple variants thereof).