TROJ_HACLINE.A

This Trojan may be dropped by other malware.

It uses a list of passwords to gain access to password-protected shares.

It hacks a computer by running a command line.

Arrival Details

This Trojan may be dropped by the following malware:

• WORM_MUMU.B

Propagation

This Trojan uses the following list of passwords to gain access to password-protected shares:

• %null%
• %username%
• %username%12
• %username%123
• %username%1234
• 123
• 1234
• 12345
• 123456
• 1234567
• 12345678
• 654321
• 54321
• 1
• 111
• 11111
• 111111
• 11111111
• 000000
• 00000000
• 888888
• 88888888
• 5201314
• pass
• passwd
• password
• sql
• database
• admin
• root
• secret
• oracle
• sybase
• test
• server
• computer
• Internet
• super
• user
• manager
• security
• public
• private
• default
• 1234qwer
• 123qwe
• abcd
• abc123
• 123abc
• abc
• 123asd
• asdf
• asdfgh
• !@#$
• !@#$%
• !@#$%^
• !@#$%^&
• !@#$%^&*
• !@#$%^&*(
• !@#$%^&*()
• KKKKKKK

Hacktool Routine

This Trojan hacks a computer by running a command line.

NOTES:

This malware uses a list of predefined weak passwords to attack SMB shares and looks for the default Admin share, Admin$.

The passwords mentioned above are retrieved in the file IPCPass.txt.

While scanning the network, it saves machines that are vulnerable to brute force attack in a separate log file named IPCFind.txt. The format of the log file is as follows:

• {IP Address} {Username}/{Password}

It connects to each vulnerable system using the following command:

• Net use \\%target_pc% "%password%" /u:"%user%"

Where:

• %target_pc% - IP address of the remote PC
• %password% - password from ipcfind.txt
• %user% - username from ipcfind.txt