My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Vesser.A

LOW
MEDIUM
55,808 bytes (packed)
(W32.HLLW.Deadhat | Win32/Deathat.A | W32/Deadhat-A)

Symptoms


- Presence of the next files in %SYSTEM% folder:

sms.exe

- Presence of the next registry keys or entries:

[HKEY_LOCAL_MACHINE \Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultChk]

where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.

Removal instructions:




Analyzed By

Patrik Vicol BitDefender Virus Researcher

Technical Description:


Once run, the virus does the follwing:

1. Creates mutex Y&T

2. Creates the registry key

HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultChk

pointing to the virus (sms.exe in System/32 folder).

3. On certain events the virus will delete:

C:\boot.ini
C:\autoexec.bat
C:\config.sys
C:\Windows\win.ini
C:\Windows\system.ini
C:\Windows\wininit.ini
C:\Winnt\win.ini
C:\Winnt\system.ini
C:\Winnt\wininit.ini.

4. Creates a copy of the virus as sms.exe in System/32 folder.

5. Places copies of itself as

WinXPKeyGen.exe
Windows2003Keygen.exe
mIRC.v6.12.Keygen.exe
Norton.All.Products.KeyMkr.exe
F-Secure.Antivirus.Keymkr.exe
FlashFXP.v2.1.FINAL.Crack.exe
SecureCRTPatch.exe
TweakXPProKeyGenerator.exe
FRUITYLOOPS.SPYWIRE.FIX.EXE
ALL.SERIALS.COLLECTION.2003-2004.EXE
WinRescue.XP.v1.08.14.exe
GoldenHawk.CDRWin.v3.9E.Incl.Keygen.exe
BlindWrite.Suite.v4.5.2.Serial.Generator.exe
Serv-U.allversions.keymaker.exe
WinZip.exe
WinRar.exe
WinAmp5.Crack.exe.

in the share of SoulSeeker filesharing program.

6. Attempts to terminate processes that contain the following string in their names:

_avp
kfp4gui
kfp4ss
zonealarm
Azonealarm
avwupd32
avwin95
avsched32
avnt
avkserv
avgw
avgctrl
avgcc32
ave32
avconsol
apvxdwin
ackwin32
blackice
blackd
dv95
espwatch
esafe
efinet32
ecengine
f-stopw
fp-win
f-prot95
f-prot
fprot
f-agnt95
gibe
iomon98
iface
icsupp
icssuppnt
icmoon
icmon
icloadnt
icload95
ibmavsp
ibmasn
iamserv
iamapp
kpfw32
nvc95
nupgrade
nupdate
normist
nmain
nisum
navw
navsched
navnt
navlu32
navapw32
zapro

7. Starts to listen on port 2766 (ACE in hex)

8. Uses the Novarg/Mydoom backdoor to spread

9. Has backdoor behaviour: attempts to connect to various IRC servers and wait for an attacker to issue commands.

10. Deletes Taskmon and Explorer keys from
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


Note: on certain events, if it fails on its actions it may display a fake message:

Error executing program!

and exit, but this has not yet been fully analysed.