McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Win32.Worm.Vesser.B (Softwin)

• WORM_DEADHAT.B (Trend)

Characteristics

As for is predecessor, this worm spreads via the peer to peer file-sharing application Soulseek, and may attempt to spread via the remote access component created by the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses; seeking out infected computers and instructing them to uninstall Mydoom and install this virus.  The worm listens on TCP port 2766 and contains instructions to connect to an IRC server, login to a specified channel, and wait for further instructions.

Proactive Detection
This threat is proactively detected as  New Malware.b when scanning compressed files (default) with program heuristics enabled using the 4.2.40 engine and the 4309 DATs (or greater). (Proactive detection as New Malware.b on gateway products is achieved with the 4273 DATs or greater.) Specific detection as W32/Vesser.worm.b will be provided in the 4324 DATs.

The worm copies itself to the Windows system directory as MSGSRV32.EXE , for example:

• C:\WINNT\SYSTEM32\MSGSRV32.EXE

The worm creates a registry run key to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "msgsrv32" = C:\WINNT\SYSTEM32\MSGSRV32.EXE

The worm retrieves the Soulseek installation path from the registry, reads in the shared.cfg settings, and copies itself to the shared directory using various enticing filenames (one file is created each time the virus is run):

• ALL.SERIALS.COLLECTION.2003-2004.EXE
• BLINDWRITE.SUITE.V4.5.2.SERIAL.GENERATOR.EXE
• F-SECURE.ANTIVIRUS.KEYMKR.EXE
• FRUITYLOOPS.SPYWIRE.FIX.EXE
• FLASHFXP.V2.1.FINAL.CRACK.EXE
• GOLDENHAWK.CDRWIN.V3.9E.INCL.KEYGEN.EXE
• NORTON.ALL.PRODUCTS.KEYMKR.EXE
• SECURECRTPATCH.EXE
• SERV-U.ALLVERSIONS.KEYMAKER.EXE
• TWEAKXPPROKEYGENERATOR.EXE
• WINRAR.EXE
• WINRESCUE.XP.V1.08.14.EXE
• WINXPKEYGEN.EXE
• WINDOWS2003KEYGEN.EXE
• WINZIP.EXE
• MIRC.V6.12.KEYGEN.EXE
• WINAMP5.CRACK.EXE

Symptoms

The worm terminates processes associated with various security products, and also some associated with W32/Mydoom@MM:

• _avp
• kfp4gui
• kfp4ss
• zonealarm
• Azonealarm
• avwupd32
• avwin95
• avsched32
• avp
• avnt
• avkserv
• avgw
• avgctrl
• avgcc32
• ave32
• avconsol
• apvxdwin
• ackwin32
• blackice
• blackd
• dv95
• espwatch
• esafe
• efinet32
• ecengine
• f-stopw
• frw
• fp-win
• f-prot95
• f-prot
• fprot
• f-agnt95
• gibe
• iomon98
• iface
• icsupp
• icssuppnt
• icmoon
• icmon
• icloadnt
• icload95
• ibmavsp
• ibmasn
• iamserv
• iamapp
• kpfw32
• nvc95
• nupgrade
• nupdate
• normist
• nmain
• nisum
• navw
• navsched
• navnt
• navlu32
• navapw32
• zapro
• document
• readme
• doc
• text
• file
• data
• test
• message
• body
• taskmon
• xsharez_scanner
• BlackIce_Firewall_Enterpriseactivation_crack
• zapSetup_95_693
• MS59-56_hotfix
• winamp0
• NessusScan_pro
• attackXP-6.71

Outgoing TCP traffic to one of the following remote servers (destination port 6667, IRC):

• viccy.2y.net
• viccy.dyns.cx
• viccy.mycoding.com
• viccy.mykgb.com
• viccy.yaboo.dk
• viccy.45z.com
• viccy.my-ho.st
• viccy.hthl.ca
• viccy.iwas2.net
• viccy.sytes.net
• viccy.dynsite.net
• viccy.teasercam.com

Deletion of certain system files from the victim machine:

• C:\boot.ini
• C:\autoexec.bat
• C:\config.sys
• C:\Windows\win.ini
• C:\Windows\system.ini
• C:\Windows\wininit.ini
• C:\Winnt\win.ini
• C:\Winnt\system.ini
• C:\Winnt\wininit.ini

Method of Infection

This worm spreads via Soulseek, and attempts to spread to W32/Mydoom@MM infected systems.

Removal

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Win32.Worm.Vesser.B (Softwin)

• WORM_DEADHAT.B (Trend)

Characteristics

Characteristics -

As for is predecessor, this worm spreads via the peer to peer file-sharing application Soulseek, and may attempt to spread via the remote access component created by the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses; seeking out infected computers and instructing them to uninstall Mydoom and install this virus.  The worm listens on TCP port 2766 and contains instructions to connect to an IRC server, login to a specified channel, and wait for further instructions.

Proactive Detection
This threat is proactively detected as  New Malware.b when scanning compressed files (default) with program heuristics enabled using the 4.2.40 engine and the 4309 DATs (or greater). (Proactive detection as New Malware.b on gateway products is achieved with the 4273 DATs or greater.) Specific detection as W32/Vesser.worm.b will be provided in the 4324 DATs.

The worm copies itself to the Windows system directory as MSGSRV32.EXE , for example:

• C:\WINNT\SYSTEM32\MSGSRV32.EXE

The worm creates a registry run key to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "msgsrv32" = C:\WINNT\SYSTEM32\MSGSRV32.EXE

The worm retrieves the Soulseek installation path from the registry, reads in the shared.cfg settings, and copies itself to the shared directory using various enticing filenames (one file is created each time the virus is run):

• ALL.SERIALS.COLLECTION.2003-2004.EXE
• BLINDWRITE.SUITE.V4.5.2.SERIAL.GENERATOR.EXE
• F-SECURE.ANTIVIRUS.KEYMKR.EXE
• FRUITYLOOPS.SPYWIRE.FIX.EXE
• FLASHFXP.V2.1.FINAL.CRACK.EXE
• GOLDENHAWK.CDRWIN.V3.9E.INCL.KEYGEN.EXE
• NORTON.ALL.PRODUCTS.KEYMKR.EXE
• SECURECRTPATCH.EXE
• SERV-U.ALLVERSIONS.KEYMAKER.EXE
• TWEAKXPPROKEYGENERATOR.EXE
• WINRAR.EXE
• WINRESCUE.XP.V1.08.14.EXE
• WINXPKEYGEN.EXE
• WINDOWS2003KEYGEN.EXE
• WINZIP.EXE
• MIRC.V6.12.KEYGEN.EXE
• WINAMP5.CRACK.EXE

Symptoms

Symptoms -

The worm terminates processes associated with various security products, and also some associated with W32/Mydoom@MM:

• _avp
• kfp4gui
• kfp4ss
• zonealarm
• Azonealarm
• avwupd32
• avwin95
• avsched32
• avp
• avnt
• avkserv
• avgw
• avgctrl
• avgcc32
• ave32
• avconsol
• apvxdwin
• ackwin32
• blackice
• blackd
• dv95
• espwatch
• esafe
• efinet32
• ecengine
• f-stopw
• frw
• fp-win
• f-prot95
• f-prot
• fprot
• f-agnt95
• gibe
• iomon98
• iface
• icsupp
• icssuppnt
• icmoon
• icmon
• icloadnt
• icload95
• ibmavsp
• ibmasn
• iamserv
• iamapp
• kpfw32
• nvc95
• nupgrade
• nupdate
• normist
• nmain
• nisum
• navw
• navsched
• navnt
• navlu32
• navapw32
• zapro
• document
• readme
• doc
• text
• file
• data
• test
• message
• body
• taskmon
• xsharez_scanner
• BlackIce_Firewall_Enterpriseactivation_crack
• zapSetup_95_693
• MS59-56_hotfix
• winamp0
• NessusScan_pro
• attackXP-6.71

Outgoing TCP traffic to one of the following remote servers (destination port 6667, IRC):

• viccy.2y.net
• viccy.dyns.cx
• viccy.mycoding.com
• viccy.mykgb.com
• viccy.yaboo.dk
• viccy.45z.com
• viccy.my-ho.st
• viccy.hthl.ca
• viccy.iwas2.net
• viccy.sytes.net
• viccy.dynsite.net
• viccy.teasercam.com

Deletion of certain system files from the victim machine:

• C:\boot.ini
• C:\autoexec.bat
• C:\config.sys
• C:\Windows\win.ini
• C:\Windows\system.ini
• C:\Windows\wininit.ini
• C:\Winnt\win.ini
• C:\Winnt\system.ini
• C:\Winnt\wininit.ini

Method of Infection

Method of Infection -

This worm spreads via Soulseek, and attempts to spread to W32/Mydoom@MM infected systems.

Removal -

Removal -

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A