Cart
Win32.Worm.Vesser.A( W32.HLLW.Deadhat | Win32/Deathat.A | W32/Deadhat-A )
SYMPTOMS: - Presence of the next files in %SYSTEM% folder: sms.exe - Presence of the next registry keys or entries: [HKEY_LOCAL_MACHINE \Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultChk] where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems) %SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems. TECHNICAL DESCRIPTION: Once run, the virus does the follwing: 1. Creates mutex Y&T 2. Creates the registry key HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultChk pointing to the virus (sms.exe in System/32 folder). 3. On certain events the virus will delete: C:\boot.ini C:\autoexec.bat C:\config.sys C:\Windows\win.ini C:\Windows\system.ini C:\Windows\wininit.ini C:\Winnt\win.ini C:\Winnt\system.ini C:\Winnt\wininit.ini. 4. Creates a copy of the virus as sms.exe in System/32 folder. 5. Places copies of itself as WinXPKeyGen.exe Windows2003Keygen.exe mIRC.v6.12.Keygen.exe Norton.All.Products.KeyMkr.exe F-Secure.Antivirus.Keymkr.exe FlashFXP.v2.1.FINAL.Crack.exe SecureCRTPatch.exe TweakXPProKeyGenerator.exe FRUITYLOOPS.SPYWIRE.FIX.EXE ALL.SERIALS.COLLECTION.2003-2004.EXE WinRescue.XP.v1.08.14.exe GoldenHawk.CDRWin.v3.9E.Incl.Keygen.exe BlindWrite.Suite.v4.5.2.Serial.Generator.exe Serv-U.allversions.keymaker.exe WinZip.exe WinRar.exe WinAmp5.Crack.exe. in the share of SoulSeeker filesharing program. 6. Attempts to terminate processes that contain the following string in their names: _avp kfp4gui kfp4ss zonealarm Azonealarm avwupd32 avwin95 avsched32 avnt avkserv avgw avgctrl avgcc32 ave32 avconsol apvxdwin ackwin32 blackice blackd dv95 espwatch esafe efinet32 ecengine f-stopw fp-win f-prot95 f-prot fprot f-agnt95 gibe iomon98 iface icsupp icssuppnt icmoon icmon icloadnt icload95 ibmavsp ibmasn iamserv iamapp kpfw32 nvc95 nupgrade nupdate normist nmain nisum navw navsched navnt navlu32 navapw32 zapro 7. Starts to listen on port 2766 (ACE in hex) 8. Uses the Novarg/Mydoom backdoor to spread 9. Has backdoor behaviour: attempts to connect to various IRC servers and wait for an attacker to issue commands. 10. Deletes Taskmon and Explorer keys from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Note: on certain events, if it fails on its actions it may display a fake message: Error executing program! and exit, but this has not yet been fully analysed. Removal instructions: ANALYZED BY: Patrik Vicol BitDefender Virus Researcher |