Classification

Category :

Malware

Type :

Worm

Aliases :

Deborm, Worm.Win32.Deborm, W32.Deborm.Worm, W32/Deborm.worm

Summary

Deborm is a network worm. Once the worm gains access to a LAN (local area network), it will keep spreading as long as it can find machines which have writable file shares without a password or with an easily guessable password. Once such computer is found, the worm will make a copy of itself to a startup folder where it will be automatically started after next reboot.

Removal

F-Secure Anti-Virus 5.40 and later versions can detect and rename infected files. It can successfully protect workstations from infection - when the worm attempts to copy a file to startup folder, FSAV will detect and rename that file before it can be activated. FSAV 5.4x also automatically renames backdoors and trojans dropped by the worm.

If you are using FSAV version 5.30 or earlier, then to prevent reinfection in a LAN environment, you might need to take down the network and reconnect machines only once they've been scanned and cleaned if needed. Please note that selection of 'Rename' or 'Delete' disinfection actions might be needed to get rid of worm and backdoor files. In case the infected files are locked, you might need to delete them from pure DOS (in case of Windows 9x systems) or to rename the infected files with different extensions and restart a computer.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The Deborm.Q variant presents an almost identical behavior as the previous ones.

Different worm variants drop different backdoors (hacker's remote access tools) and different trojans to infected systems. For example Deborm.R variant of the worm drops 'Litmus.203' backdoor, an IRC SDBot-based backdoor and a trojan that kills tasks of certain anti-virus and security software. Deborm.R worm tries to copy itself to the following folders on remote computers:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
 C:\WINDOWS\Start Menu\Programs\Startup
 C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
 \WINNT\Profiles\All Users\Start Menu\Programs\Startup
 \WINDOWS\Start Menu\Programs\Startup
 \Documents and Settings\All Users\Start Menu\Programs\Startup

When the worm is activated, it creates a startup key for its file in System Registry. For example Deborm.R worm creates the following Registry key:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "NAV Live Update" = <path>

where <path> is the location of the worm's file.

Then the worm starts to look for open shares. If it finds 'C$' or 'C' share on a remote computer, it tries to get access to that share by guessing passwords for 'Owner', 'Guest' and 'Administrator' accounts. If the worm succeeds, it connects to that share and copies itself to startup folders there.