|
Vesser/Deadhat is a worm with backdoor
capabilities. It attempts to uninstall the Mydoom
and Mydoom.B
worms, and then it spreads to other systems
infected with Mydoom. Also, it spreads through
the Soulseek file-sharing program.
Also known as: W32.HLLW.Deadhat, Vesser,
W32/Deadhat.worm.a, WORM_DEADHAT.A,
Win32.Deadhat.A, Worm.Win32.Vesser
How
Does Vesser/Deadhat Worm Infect My System?
When Vesser/Deadhat is executed, it performs
the following actions:
- May display a message box containing the
following text:
Corrupted File
Error executing program!
- Copies itself as %System%\sms.exe.
- Adds the value:
"KernelFaultChk"="%System%\sms.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start
Windows.
- Locates the shared folder the Soulseek
file-sharing program uses and copies itself to
this location, using one of the following file
names:
- Windows2003Keygen.exe
- mIRC.v6.12.Keygen.exe
- Norton.All.Products.KeyMkr.exe
- F-Secure.Antivirus.Keymkr.exe
- FlashFXP.v2.1.FINAL.Crack.exe
- SecureCRTPatch.exe
- TweakXPProKeyGenerator.exe
- FRUITYLOOPS.SPYWIRE.FIX.EXE
- ALL.SERIALS.COLLECTION.2003-2004.EXE
- WinRescue.XP.v1.08.14.exe
- GoldenHawk.CDRWin.v3.9E.Incl.Keygen.exe
- BlindWrite.Suite.v4.5.2.Serial.Generator.exe
- Serv-U.allversions.keymaker.exe
- WinZip.exe
- WinRar.exe
- WinAmp5.Crack.exe
- Listens on TCP port 2766 for incoming
connections. If a remote attacker connects to
this port and uploads a program, the worm will
execute it.
- Attempts to end the following processes
associated with antivirus and
firewall
software:
- _avp
- kfp4gui
- kfp4ss
- zonealarm
- Azonealarm
- avwupd32
- avwin95
- avsched32
- avp
- avnt
- avkserv
- avgw
- avgctrl
- avgcc32
- ave32
- avconsol
- apvxdwin
- ackwin32
- blackice
- blackd
- dv95
- espwatch
- esafe
- efinet32
- ecengine
- f-stopw
- frw
- fp-win
- f-prot95
- f-prot95
- f-prot
- fprot
- f-agnt95
- gibe
- iomon98
- iface
- icsupp
- icssuppnt
- icmoon
- icmon
- icloadnt
- icload95
- ibmavsp
- ibmasn
- iamserv
- iamapp
- kpfw32
- nvc95
- nupgrade
- nupdate
- normist
- nmain
- nisum
- navw
- navsched
- navnt
- navlu32
- navapw32
- zapro
- Attempts to end the following processes
associated with the Mydoom
worms:
- document
- readme
- doc
- text
- file
- data
- test
- message
- body
- taskmon
- xsharez_scanner
- BlackIce_Firewall_Enterpriseactivation_crack
- zapSetup_95_693
- MS59-56_hotfix
- winamp0
- NessusScan_pro
- attackXP-6.71
- Attempts to uninstall the Mydoom
worms by removing the following registry
entries:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run\TaskMon
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run\Explorer
- HKEY_CURRENT_USER\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
\InprocServer32
- HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
\InprocServer32
- Scans the network, looking for systems
infected with Mydoom. This worm attempts to
connect to sequential IP addresses on ports
3127, 3128, and 1080, starting with a random
IP address. When a connection is established,
W32.HLLW.Deadhat sends a copy of itself to the
Mydoom
server, in effect replacing Mydoom
on
the remote machine.
- Connects to an IRC server and waits for
commands.
How
Can I Remove the Vesser/Deadhat virus?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Deadhat during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
Follow these steps
in removing the Vesser/Deadhat worm.
1. Disabling System Restore (Windows Me/XP)
For instructions on how to turn off System
Restore, read your Windows documentation, or one
of the following articles: "How
to disable or enable Windows Me/XP System Restore".
2. Updating the virus definitions
If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
3. Restarting the computer in Safe mode or VGA
mode
Shut down the computer and turn off the power.
Wait for at least 30 seconds, and then restart
the computer in Safe mode or VGA mode.
- For Windows 95, 98, Me, 2000, or XP users,
restart the computer in Safe mode.
- For Windows NT 4 users, restart the computer
in VGA mode.
4. Scanning for and deleting the infected
files
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with
Vesser/Deadhat, click Delete.
5. Reversing the changes made to the registry
- Click Start, and then click Run. (The Run
dialog box appears.)
- Type regedit
Then click OK. (The Registry Editor opens.)
- Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- In the right pane, delete the value:
"KernelFaultChk"="%System%\sms.exe"
- Exit the Registry Editor.
- Restart the computer back into Normal
mode.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Detect and Removal Instruction for Other
Worms - 'D':
| 
