W32/DoomHunt-A

Discussion in 'malware problems & news' started by Marianna, Feb 13, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Type
    Win32 worm

    Description
    W32/DoomHunt-A is a worm which spreads to computers infected with the W32/MyDoom-A and W32/MyDoom-B worms and terminates processes and removes files associated with these worms.
    W32/DoomHunt-A listens for connections on port 3127. If a connection is made the worm sends back a copy of itself to be executed on the remote computer.

    When run the worm copies itself to the Windows system folder using the filename worm.exe and creates the following registry entry to ensure it is run at system logon:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DELETE ME

    W32/DoomHunt-A will terminate the following processes:

    SHIMGAPI.DLL
    CTFMON.DLL
    REGEDIT.EXE
    TEEKIDS.EXE
    MSBLAST.EXE
    EXPLORER.EXE
    TASKMON.EXE
    INTRENAT.EXE

    and deletes the following files:

    SHIMGAPI.DLL
    CTFMON.DLL
    REGEDIT.EXE
    TEEKIDS.EXE
    MSBLAST.EXE
    EXPLORER.EXE
    TASKMON.EXE
    INTRENAT.EXE

    http://www.sophos.com/virusinfo/analyses/w32doomhunta.html
     
Thread Status:
Not open for further replies.