WORM_DEADHAT.B {Trend NewsLetter}

WORM_DEADHAT.B is a destructive, memory-resident worm that is currently spreading in-the-wild. It propagates on systems that are infected with WORM_MYDOOM.A and WORM_MYDOOM.B, and is capable of spreading via the peer-to-peer file-sharing application, SoulSeek. WORM_DEADHAT.B has the capability to drop itself as a file in the Windows folder, enumerate all running processes, terminate processes associated with antivirus programs, delete several system files, and connect to an Internet Relay Chat (IRC) server and wait for commands from a remote user. It runs on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this virus drops a copy of itself as MSGSVR32.EXE in the Windows system folder, and creates a registry entry that allows it to execute at every system startup.

To propagate, this worm scans random IP addresses for infected systems at certain ports. These ports are opened by a backdoor component of the MYDOOM worm, which allows remote users to access the machines. It sends a command that causes the MYDOOM backdoor component to automatically upload its copy to the systems. It also can spread via SoulSeek, a peer-to-peer file-sharing application, by retrieving the shared folder and querying a registry key. It then drops a copy of itself in the shared folder using any of 17 specific names.

This malware?s backdoor routine opens a port and listens for commands from a remote user. It also connects to an Internet Relay Chat (IRC) server and joins a channel where it listens for commands that could allow a remote user to execute malicious actions.

The worm enumerates all running processes and terminates processes associated with antivirus programs. It also terminates instances of WORM_MYDOOM.A and WORM_MYDOOM.B in memory by terminating specific processes, and deletes registry entries which are added by these two MYDOOM variants.

It may also delete the following files:

C:\BOOT.INI
C:\AUTOEXEC.BAT
C:\CONFIG.SYS
C:\Windows\WIN.INI
C:\Windows\SYSTEM.INI
C:\Windows\WININIT.INI
C:\WINNT\WIN.INI
C:\WINNT\SYSTEM.INI
C:\WINNT\WININIT.INI

The following internal text strings are embedded within this worm's code:

Well, show me the way, To the next whiskey bar,
Oh, don't ask why, Oh, don't ask why,
Show me the way, To the next whiskey bar,
Oh, don't ask why, Oh, don't ask why,
For if we don't find, The next whiskey bar,
I tell you we must die, I tell you we must die,
I tell you, I tell you, I tell you we must die,
Oh, moon of Alabama, We now must say goodbye,
We've lost our good old mama,
And must have whiskey, oh, you now why,
Oh, moon of Alabama,
We now must say goodbye,
We've lost our good old mama,
And must have whiskey, oh, you now why,
Well, show me the way, To the next little girl,
Oh, don't ask why, Oh, don't ask why,
Show me the way, To the next little girl,
Oh, don't ask why, Oh, don't ask why,
For if we don't find, The next little girl,
I tell you we must die, I tell you we must die,
I tell you, I tell you, I tell you we must die,
Oh, moon of Alabama, We now must say goodbye,
We've lost our good old mama,
And must have whiskey, oh, you now why.

If you would like to scan your computer for WORM_DEADHAT.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_DEADHAT.B is detected and cleaned by Trend Micro pattern file #762 and above.