Aliases: Worm.Win32.Dedler, W32/Dedler.worm.gen
Variants: W32/Dedler-B, W32.Dedler-U

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: Asia, North and South America, Europe and Australia
Removal: Easy
Platform: W32
Discovered: 09 Mar 2004
Damage: Medium

Characteristics: W32.Dedler.Worm is a worm that replicates itself to infect any open network shares. This network-aware worm first appeared on March 9, 2004. Like many viruses, it contains a destructive payload which propagates itself from one system to another.

More details about W32.Dedler.Worm

Worm programs can create copies of themselves. They typically enter the system without the user’s consent. The user may also be tricked into granting it access. An infected file or a link to an infected server may be sent to the user. These may also be posted on the Web. Copies may be placed elsewhere. They may also be put in shared folders to infect other computers. Registry entries are also created to make sure the software runs once the system does. Upon establishing itself in the system, this self-replicating network-aware worm copies the following: %System%\smvss.exe and %System%\csmrs.exe. These are variables. It means that by default the %System% can either be C:\Windows\System32 or C:\Winnt\System32.

Once the worm copies itself to the targeted location, it adds certain values to a certain registry key. When the Windows starts, the worm runs. It deletes some services like Symantec Core LC, SAVScan, Network Client, Network Client Monitor and many others. Next, the worm connects to login.icq.com to receive commands through ICQ. Therefore, the attacker has the ability to execute commands. The worm will automatically run through open shares once it copies the following files: autorun.inf, uninstall.exe and smvss.exe. This will enable the attacker to block any security-related sites on the Internet so the user will not be able to protect his computer against malwares.