WORM_DEADHAT.C

Discussion in 'malware problems & news' started by Marianna, Feb 17, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Virus type: Worm

    Destructive: Yes

    Aliases: Win32/HLLW.Vesser.C

    Description:



    This memory-resident worm propagates on systems that are infected with WORM_MYDOOM.A and WORM_MYDOOM.B. It is also capable of spreading via the popular peer-to-peer file-sharing application, SoulSeek.

    It has the following capabilities:

    Drop itself as the file LMSS.EXE in the C:\WINNT\System32\folder
    (Note: This path is hardcoded in the malware code. If this folder does not exist on the system, it fails to drop its copy.)
    Enumerate all running processes
    Terminate processes associated with antivirus programs
    Terminate instances of WORM_MYDOOM.A and WORM_MYDOOM.B
    Delete several system files such as BOOT.INI and AUTOEXEC.BAT
    Open port 2766, connect to an Internet Relay Chat (IRC) server, and joins a channel to wait for malicious commands from a remote user
    It runs on Windows 98, ME, NT, 2000, and XP.

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DEADHAT.C
     
    Marianna, Feb 17, 2004
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...