Slashdot Mirror
New Windows Worm Inching Around Internet
helixcode123 writes "The Register is reporting a Windows Worm that
takes advantage of weak default passwords. This
looks pretty nasty, as it mucks with the registry
and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.
According to F-secure, these are the passwords it tries :
[empty], xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, admin, Admin, password, Password, 1, 12, 123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 654321, 54321, 111, 000000, 00000000, 11111111, 88888888, pass, passwd, database, abcd, abc123, oracle, sybase, 123qwe, server, computer, Internet, super, 123asd, ihavenopass, godblessyou, enable, xp, 2002, 2003, 2600, 0, 110, 111111, 121212, 123123, 1234qwer, 123abc, 007, alpha, patrick, pat, administrator, root, sex, god, foobar, a, aaa, abc, test, test123, temp, temp123, win, pc, asdf, secret, qwer, yxcv, zxcv, home, xxx, owner, login, Login, pwd, pass, love, mypc, mypc123, admin123, pw123, mypass, mypass123, pw
the pat / patrick is rather weird, eh? only name in the list.
Multidropper/dropper is nasty, I am coming off of an entire weekend chasing this hunk of code.
1. Once on the system it disables personal security/firewall/virus scanning
2. Copies itself to the start up group
3. With virus scanning disabled it drops several nasty bugs.
4. Network traffic/processor utilization goes thru the roof.
5. It then tries to replicate on the next machine...
next DAT release on the 12th will include that def.
Good Luck
McAfee has an extra.dat that fights it, the
You can configure Windows to do the same. At my workplace the policy is rather strict, so it actually takes some effort to come up with a good password.
When men used to be men
if the hackers need any help, here are the most common passwords for my website:
password, mypassword, asdf, fdsa, [the user's username], [the user's username backwards], guitar, qwerty, starwars, [the user's first name], [the user's last name], [the user's initials], internet, love, 12345 (spaceballs...), mercedes, batman, superman, ilove[insert name of opposite sex], [username]420, computer.
9.1% of passwords are "password", 2.6% of passwords are the username, 1.7% of passwords are the user's first name.
hope that helps!
From Technet article 318751 (HOWTO: Remove Administrative Shares in Windows 2000):
And... From 314984 (HOWTO: Create and Delete Hidden or Administrative Shares on Client Computers) (This is for Windows XP, W2K Pro, WinNT4 Workstation)
These get rid of those pesky administrative shares.Just so we're clear, SAMBA is not a protocol. The protocol you are thinking of is SMB (Server Message Block). Samba allows unix users to use SMB. Here's some info.
Life is offtopic.
Any local account without a password in Windows XP is prohibited from remotely connecting to that machine.
It is unfortunate that users often pick weak passwords. One of the student Win2K servers we run at our university got hacked because a remote attacker guessed a local password (=$username). However, we did learn one thing from the experience - we (or rather, I) firewalled our LAN from the internet behind a linux box. It could have been a BSD box, or a Linksys router -- who cares. This is kind of OT anyway.
I firmly believe that the more heterogeneous we keep the mix of systems running on the internet, the more resilient the internet will be to any type of attack. It's like an ecological system in which different beasts catch different bugs -- but hardly ever do they all catch the same bug in the same way, at the same time. Now isn't that smart? I really think the United States and other concerned countries should invest in encouraging diversity of computer systems in order to reduce general vulnerability to a 'cyberterrorism' or whatever attacks.
In either case, to see how our Internet is currently faring check out the Internet Storm Center. Increased probes from this worm were immediately visible on the site. Also worth a read is McAfee's details on this worm.
Funny this, but "God" specifically doesn't show up in this set of 260k users.. But there are 143 words containing "god".. Here are the top ones. :)
:)
22 godzilla
5 godfathe
4 goddess
3 godsmack
3 gods
3 godiva
2 sungod
2 netgod
2 iamgod
2 goodgod
There were 294 words with "sex" in them, the top ones are:
84 sexy
25 sexx
17 sexsex
8 sexual
7 sexo
6 sexe
5 sussex
5 sextoy
5 sex4me
5 ilovesex
And 278 with "love" in it..
86 love
33 lover
21 lovers
14 loveme
13 iloveyou
10 loveit
Oddly enough, root came in very low.. The highest one is "rootbeer" with 7.. That'd make it ranking around 3540.. I feel unloved.. If one person had "iloveroot", that would have made my day.
Serious? Seriousness is well above my pay grade.
I don't get it. Most times, windoze lets you look through workgroups and choose the one you want to browse them *graphically* (double-click). So there's no need to count the "_"'s. I suspect that your plan worked mostly 'cause you changed the workgroup to something other than "WORKGROUP" and a lot of people didn't think to look for workgroups with anything other than the default name.
But if I did want to count the "_"'s, I could:
1) I copy the "_"'s to the clipboard.
2) I open notepad and paste the "_"'s.
3) I count them. (= 10)
(Note: this is also a handy way to distinguish all of 'l10O' which can be hard to tell in some fonts.)
But that was a general windoze solution. If Unix utilities are available, I could run `wc' (WordCount) with no input, then paste the "_"'s in, then type [ENTER], CTRL+D and word count would tell me how many chars are there.
Yes, I know I'm being geeky an petty, but this is slashdot and I feel I should be allowed.
Furry cows moo and decompress.