New Sluter virus free with its favours

By Matt Whipp

Posted on 1 Jul 2003 at 17:01

Sophos has alerted users of a network-aware worm that attacks with a range of just 16 passwords.

Weak passwords are often the favourite exploit of viruses targeting home users, and Sluter-A uses an array of 16 variations based on just eight passwords.

However, Sluter-A uses admin, root, server and various lengths of a few sequences: 1234, 4321, asdf and !"£$, as tools to prise open access to network shares named C$ and Admin$. Poorly shored-up businesses look to be the target.

However, it's not picky. Sluter-A scans port 445 of a large number of randomly generated IP addresses for such network shares and attempts to break in with its 16 passwords. If successful it will create a copy of itself with the filename msslut32.exe and schedule it to run on the infected system. It will also add a Registry key (HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Superslut = msslut32.exe) to ensure the virus is run on startup.

Sophos has already received one report of the worm, and although perhaps unlikely to prove particularly virulent, it does highlight how confident writers are of finding poorly secured systems.

For more information see the Sophos website.