McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Vesser (F-Secure)

• W32.HLLW.Deadhat (Symantec)

• W32/Deadhat.worm.a

Characteristics

This threat is proactively detected as New Malware.b when scanning compressed files (default option) with program heuristics enabled using the 4.2.40 scan engine (or higher) and 4273 DAT files (or higher).

This worm spreads via the peer to peer file-sharing application Soulseek, and may attempt to spread via the remote access component created by the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses; seeking out infected computers and instructing them to uninstall Mydoom and install this virus.  The worm listens on TCP port 2766 and contains instructions to connect to an IRC server, login to a specified channel, and wait for further instructions.

When run, the worm may display a fake error message:

The worm copies itself to the WINDOWS SYSTEM directory as SMS.EXE and creates a registry run key to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "KernelFaultChk" = C:\WINNT\System32\sms.exe

The worm retrieves the Soulseek installation path from the registry, reads in the shared.cfg settings, and copies itself to the shared directory using the following filenames (one file is created each time the virus is run):

• WinXPKeyGen.exe
• Windows2003Keygen.exe
• mIRC.v6.12.Keygen.exe
• Norton.All.Products.KeyMkr.exe
• F-Secure.Antivirus.Keymkr.exe
• FlashFXP.v2.1.FINAL.Crack.exe
• SecureCRTPatch.exe
• TweakXPProKeyGenerator.exe
• FRUITYLOOPS.SPYWIRE.FIX.EXE
• ALL.SERIALS.COLLECTION.2003-2004.EXE
• WinRescue.XP.v1.08.14.exe
• GoldenHawk.CDRWin.v3.9E.Incl.Keygen.exe
• BlindWrite.Suite.v4.5.2.Serial.Generator.exe
• Serv-U.allversions.keymaker.exe
• WinZip.exe
• WinRar.exe
• WinAmp5.Crack.exe

Symptoms

The worm may attempt to terminate the following processes, some of which are related to the Mydoom virus:

• _avp
• kfp4gui
• kfp4ss
• zonealarm
• Azonealarm
• avwupd32
• avwin95
• avsched32
• avp
• avnt
• avkserv
• avgw
• avgctrl
• avgcc32
• ave32
• avconsol
• apvxdwin
• ackwin32
• blackice
• blackd
• dv95
• espwatch
• esafe
• efinet32
• ecengine
• f-stopw
• frw
• fp-win
• f-prot95
• f-prot
• fprot
• f-agnt95
• gibe
• iomon98
• iface
• icsupp
• icssuppnt
• icmoon
• icmon
• icloadnt
• icload95
• ibmavsp
• ibmasn
• iamserv
• iamapp
• kpfw32
• nvc95
• nupgrade
• nupdate
• normist
• nmain
• nisum
• navw
• navsched
• navnt
• navlu32
• navapw32
• zapro
• document
• readme
• doc
• text
• file
• data
• test
• message
• body
• taskmon
• xsharez_scanner
• BlackIce_Firewall_Enterpriseactivation_crack
• zapSetup_95_693
• MS59-56_hotfix
• winamp0
• NessusScan_pro
• attackXP-6.71

Method of Infection

This worm spreads via Soulseek, and attempts to spread to Mydoom infected systems.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Vesser (F-Secure)

• W32.HLLW.Deadhat (Symantec)

• W32/Deadhat.worm.a

Characteristics

Characteristics -

This threat is proactively detected as New Malware.b when scanning compressed files (default option) with program heuristics enabled using the 4.2.40 scan engine (or higher) and 4273 DAT files (or higher).

This worm spreads via the peer to peer file-sharing application Soulseek, and may attempt to spread via the remote access component created by the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses; seeking out infected computers and instructing them to uninstall Mydoom and install this virus.  The worm listens on TCP port 2766 and contains instructions to connect to an IRC server, login to a specified channel, and wait for further instructions.

When run, the worm may display a fake error message:

The worm copies itself to the WINDOWS SYSTEM directory as SMS.EXE and creates a registry run key to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "KernelFaultChk" = C:\WINNT\System32\sms.exe

The worm retrieves the Soulseek installation path from the registry, reads in the shared.cfg settings, and copies itself to the shared directory using the following filenames (one file is created each time the virus is run):

• WinXPKeyGen.exe
• Windows2003Keygen.exe
• mIRC.v6.12.Keygen.exe
• Norton.All.Products.KeyMkr.exe
• F-Secure.Antivirus.Keymkr.exe
• FlashFXP.v2.1.FINAL.Crack.exe
• SecureCRTPatch.exe
• TweakXPProKeyGenerator.exe
• FRUITYLOOPS.SPYWIRE.FIX.EXE
• ALL.SERIALS.COLLECTION.2003-2004.EXE
• WinRescue.XP.v1.08.14.exe
• GoldenHawk.CDRWin.v3.9E.Incl.Keygen.exe
• BlindWrite.Suite.v4.5.2.Serial.Generator.exe
• Serv-U.allversions.keymaker.exe
• WinZip.exe
• WinRar.exe
• WinAmp5.Crack.exe

Symptoms

Symptoms -

The worm may attempt to terminate the following processes, some of which are related to the Mydoom virus:

• _avp
• kfp4gui
• kfp4ss
• zonealarm
• Azonealarm
• avwupd32
• avwin95
• avsched32
• avp
• avnt
• avkserv
• avgw
• avgctrl
• avgcc32
• ave32
• avconsol
• apvxdwin
• ackwin32
• blackice
• blackd
• dv95
• espwatch
• esafe
• efinet32
• ecengine
• f-stopw
• frw
• fp-win
• f-prot95
• f-prot
• fprot
• f-agnt95
• gibe
• iomon98
• iface
• icsupp
• icssuppnt
• icmoon
• icmon
• icloadnt
• icload95
• ibmavsp
• ibmasn
• iamserv
• iamapp
• kpfw32
• nvc95
• nupgrade
• nupdate
• normist
• nmain
• nisum
• navw
• navsched
• navnt
• navlu32
• navapw32
• zapro
• document
• readme
• doc
• text
• file
• data
• test
• message
• body
• taskmon
• xsharez_scanner
• BlackIce_Firewall_Enterpriseactivation_crack
• zapSetup_95_693
• MS59-56_hotfix
• winamp0
• NessusScan_pro
• attackXP-6.71

Method of Infection

Method of Infection -

This worm spreads via Soulseek, and attempts to spread to Mydoom infected systems.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A