Classification

Category :

Malware

Type :

Worm

Aliases :

Vesser, W32.HLLW.Deadhat

Summary

Vesser is a network worm that was found on February 7th, 2004.

This worm spreads through the backdoor of Mydoom.A and Mydoom.B as well as through a Peer-to-Peer application called SoulSeek.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

System Infection

When Vesser enters a system it copies itself to the the Windows System Directory as 'sms.exe' and adds the file to the registry as:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KernelFaultChk

Network Propagation

Vesser mainly targets computers that have previously been infected with the Mydoom.A or Mydoom.B worms. Vesser scans for the backdoors in those worms on IP addresses. While doing that it connects to TCP ports 1080. 3127 and 3128 and tries to copy itself there in a specially-crafted package.

Once it has successfully penetrated a computer it removes the previous Mydoom infection:

It removes the following registry keys and values:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TaskMon HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer

HKCU\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32

The worm terminates processes with names that contain any of the following strings:

"document"
"readme"
"doc"
"text"
"file"
"data"
"test"
"message"
"body"
"taskmon"
"xsharez_scanner"
"BlackIce_Firewall_Enterpriseactivation_crack"
"zapSetup_95_693"
"MS59-56_hotfix"
"winamp0"
"NessusScan_pro"
"attackXP-6.71"

Propagation Through SoulSeek

If the infected computer has a copy of the SoulSeek file sharing application the worm copies itself to the shared folder with different catchy names for users to download:

"WinXPKeyGen.exe"
"Windows2003Keygen.exe"
"mIRC.v6.12.Keygen.exe"
"Norton.All.Products.KeyMkr.exe"
"F-Secure.Antivirus.Keymkr.exe"
"FlashFXP.v2.1.FINAL.Crack.exe"
"SecureCRTPatch.exe"
"TweakXPProKeyGenerator.exe"
"FRUITYLOOPS.SPYWIRE.FIX.EXE"
"ALL.SERIALS.COLLECTION.2003-2004.EXE"
"WinRescue.XP.v1.08.14.exe"
"GoldenHawk.CDRWin.v3.9E.Incl.Keygen.exe"
"BlindWrite.Suite.v4.5.2.Serial.Generator.exe"
"Serv-U.allversions.keymaker.exe"
"WinZip.exe"
"WinRar.exe"
"WinAmp5.Crack.exe"

Termination of Security Software

Vesser has a long list of processes that it tries to terminate if found running in the memory:

"_avp"
"kfp4gui"
"kfp4ss"
"zonealarm"
"Azonealarm"
"avwupd32"
"avwin95"
"avsched32"
"avp"
"avnt"
"avkserv"
"avgw"
"avgctrl"
"avgcc32"
"ave32"
"avconsol"
"apvxdwin"
"ackwin32"
"blackice"
"blackd"
"dv95"
"espwatch"
"esafe"
"efinet32"
"ecengine"
"f-stopw"
"frw"
"fp-win"
"f-prot95"
"f-prot"
"fprot"
"f-agnt95"
"gibe"
"iomon98"
"iface"
"icsupp"
"icssuppnt"
"icmoon"
"icmon"
"icloadnt"
"icload95"
"ibmavsp"
"ibmasn"
"iamserv"
"iamapp"
"kpfw32"
"nvc95"
"nupgrade"
"nupdate"
"normist"
"nmain"
"nisum"
"navw"
"navsched"
"navnt"
"navlu32"
"navapw32"
"zapro"

Remote Update Feature

Once the worm has activated it opens TCP port 2766 and awaits for clients. Connecting clients must be authenticated with a crypto key. If the authentication is successful the backdoor accepts a file for upload and executes it on the system.

IRC Backdoor

The IRC backdoor component connects to a predefined IRC server and listens on a specific channel for commands from the author. The backdoor supports different commands to download and execute arbitrary programs on the infected computer.