McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This worm spreads through network shares using weak username and passwords.  The worm attempts to connect to an Internet Relay Chat server (TCP Port 6667) to allow for a remote attack to send commands to the infected system:

Symptoms

When this worm is executed, it copies itself to the %Sysdir% folder as HESS.EXE.

e.g. C:\Winnt\System32\Hess.exe

The following registry key is created :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "wzservice" = HESS.EXE

It listens on TCP ports 113, and other random ports.  It attempts to connect to a remote IRC servers on TCP port 6667.

Method of Infection

This worm propagates via accessible or poorly secured C$ network shares.

The worm contains a combination of  USERNAMES and PASSWORDS which are used to gain access to poorly secured share.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This worm spreads through network shares using weak username and passwords.  The worm attempts to connect to an Internet Relay Chat server (TCP Port 6667) to allow for a remote attack to send commands to the infected system:

Symptoms

Symptoms -

When this worm is executed, it copies itself to the %Sysdir% folder as HESS.EXE.

e.g. C:\Winnt\System32\Hess.exe

The following registry key is created :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "wzservice" = HESS.EXE

It listens on TCP ports 113, and other random ports.  It attempts to connect to a remote IRC servers on TCP port 6667.

Method of Infection

Method of Infection -

This worm propagates via accessible or poorly secured C$ network shares.

The worm contains a combination of  USERNAMES and PASSWORDS which are used to gain access to poorly secured share.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A