Virus Update

[StRiDeR]

W32/Holar-J
Aliases
W32.Galil.F@mm

Type
Win32 worm

Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the March 2004 (3.79) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of this worm from the wild.


Description
W32/Holar-J is a worm which spreads by emailing itself via SMTP or via Microsoft Outlook. The worm also attempts to spread via MSN Messenger.
When run for the first time the worm displays the following false error message:

"The WinZip Wizard cannot open this file it does not apear to be a valid archive. if you downloaded this file, try downloading it again. if you want to add this file to an archive, first create or open the archive, then drop the file again."

W32/Holar-J is composed of a main dropper which drops and executes the files SYSCHK.EXE and SMTP.OCX within the Windows system folder. SMTP.OCX contains the worm's SMTP functionality and is detected by Sophos as W32/Holar-G.

The dropper also creates copies of SYSCHK.EXE as MIZZABBAT.EXE in the Windows folder and as ZACKER.EXE in a new folder called SYS32S within the Windows folder.

The worm creates an entry in the registry at the following location to run itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemChecker

W32/Holar-J creates the following CAB archives which contain the file RUNHELP.INF:

C:\\RUNHELP.CAB
C:\\SYS32S\RUNHELP.CAB

RUNHELP.INF attempts to run the file ZACKER.EXE.

W32/Holar-J also creates a file called FOLDER.HTT in the Windows web folder.

Emails have the following characteristics-

the subject line and message text may be absent or may be combinations of the following:
"Fw:"
"Re:"
"hey Check this out "
"Hey I thought you trusted me but ... i haven't thought i should send u my briefcase to gain ur Trust. Have it all bye"
"Hey Wussap? Here is the Emmy Dont tell Sam abt it Cya"
"Another one?"
"Heyyyy I lost the other email , anyway i sent u all u need Cya"
"Hey i have just got it , plz tell me if u need more. bye"
"Heyyyyyyyy Lola Wussaaap?? I forgot to tell u , the other file is with Sam:) bye"
"YO DUMP , IM SICK OF UR EMAILS , IF U LOSE IT AGAIN I WONT GIVE IT TO U, SAVE BYEEE"
"Hey wussap?i lost Sara's Email plzz send this file to her and tell her i can't be online tonight bye"
"heyyy I can't be online tonight anyway , i sent u something u r gonna love
cya tomorrow"
"Hi i just wanted to say sorry for last night and .. i wish u accept this as an apology bye dear"
"elegant ppl should satisfy thier taste with elegant things Wait for more "
"I've got your email , but you forgot to upload the attachments. Don't be selfish , i sent you all the files i have, send me anything bye"
"heyyy i tried many times to send u this email but ur account was out of storage ss i any way , make sure that i didn't and i won't forget u Cya Forgotten "
"i thing the subject is enough to describe the attached file ! check it out and replay your opinion Cya"
"Hiiiiiii i've got this surprise from a friend it really deserves a few minutes of your time. Bye"
"Never mind !"
"Attatchments"
"See the attatched file"
"you seem to be mad @ me coz i didn't send u anything for along time, i didn't forget u , but i was kinda busy , i've got all of ur emails thanx and i hope u accept this one as an apology."
"gift"
"Surprise!"
"Hi i'm fine , thanx for asking and thanx for the nice attachements. but unfortunately, i don't remember you i will be waiting for u emaill to remind me of your self. Hummm , i hope u accept this show as an apology. bye"
"save it for hard times"
"Happy Times "
"Useful"
"Very funny"
"hey wuts up? cyaaa"
"you have to see this!"
"amazing!"

the attached file can have one of the following extensions:

UUE, MIM, HQX, UU, XXE, BHX, EXE

W32/Holar-J deletes files with the following extensions:

JPG, DOC, PPS, RAM, RM, XLS, MDB, RAR, MPEG, MPG, AVI, MPE, ASF


Recovery
Please follow the instructions for removing worms.

Delete the files C:\\RUNHELP.CAB and C:\\SYS32S\RUNHELP.CAB if they exist.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemChecker

and remove any reference to any file you deleted.

Close the registry editor.

[StRiDeR]

W32/Mimail-T
Aliases
W32/Mimail.gen@MM

Type
Win32 worm

Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of this worm from the wild.


Description
W32/Mimail-T is an email worm.
W32/Mimail-T copies itself to the Windows folder with the filename kaspersky.exe and sets the following registry entry so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv

W32/Mimail-T contains the following text:

"*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS'ed in next version.
WARNING: centrum.cz will be DDoS'ed in next versions, coz they have closed my mimail-email account. Who next? ***"


Recovery
Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv

and delete it if it exists.

Close the registry editor.

[StRiDeR]

W32/Agobot-CP
Aliases
Backdoor.Agobot.3.gen

Type
Win32 worm

Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the March 2004 (3.79) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of this worm from the wild.


Description
W32/Agobot-CP is an IRC backdoor Trojan and network worm.
W32/Agobot-CP copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.

These vulnerabilities allow the worm to execute its code on target computers with System level priviledges. For further information on these vulnerabilities and for details on how to protect/patch the computer against such attacks please see Microsoft security bulletins MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft security bulletin MS03-039.

When first run, W32/Agobot-CP copies itself to the Windows system32 folder with the filename winpn32.exe and creates the following registry entries so that the worm is run when Windows starts up:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinPN32
= winpn32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\WinPN32
= winpn32.exe

W32/Agobot-CP connects to a remote IRC server and joins a specific channel. The backdoor functionality of the worm can then be accessed by an attacker using the IRC network.

The worm also attempts to terminate and disable various security-related programs.


Recovery
Please follow the instructions for removing worms.

[StRiDeR]

Troj/Sdbot-FM
Aliases
Backdoor.SdBot.gen, BKDR_Sdbot.Gen

Type
Trojan

Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of this Trojan from the wild.


Description
Troj/Sdbot-FM is a backdoor Trojan which runs in the background as a service process and allows unauthorised remote access to the computer via IRC channels.
The Trojan copies itself to the Windows system folder as svch0st.exe and creates entries in the registry at the following locations to run itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

The Trojan remains resident, listening for commands from remote users. If it receives the appropriate command the Trojan attempts to drop and execute a batch file detected as Bat/Botsecure-A in order to change the user's security settings.


Recovery
Please follow the instructions for removing Trojans.

[atokENSEM]

A new destructive internet virus is spreading rapidly through email attachments and file-sharing services, with some experts saying it could match the impact of last year's SoBig worm.

The virus dubbed MyDoom or Norvag, known as a worm because of the way it propagates itself, was clogging the internet and email servers around the global, experts said. More than 577 000 copies of the virus had been intercepted as of early Tuesday, according to the security firm MessageLabs.


Some analysts were comparing the new virus to SoBig, which paralysed some portions of the internet last year and prompted an FBI hunt for its creators.

"Initial indications are that MyDoom is propagating as fast as SoBig.F," said Scott Chasin, chief technology officer at US-based security firm MX Logic.

The company has seen a peak at 1200 infected emails per second, making it a "critical threat", according to a statement from MX Logic.
The bug was first spotted on Monday and had infected hundreds of thousand computers around the world by Tuesday morning, said Mikael Albrecht of the Finnish virus security firm F-Secure.

"It's a traditional email worm that spreads very rapidly, also through the content of the Kazaa peer-to-peer network, and by this morning probably some 200 000 computers had been infected already," Albrecht said.
Kazaa is a popular file-sharing service that lets internet surfers share content such as games, movies and music with each other for free.

The bug also uses the email addresses stored on infected computers to replicate itself and spread further, Albrecht pointed out.
Its main purpose, he said, is to attack and overload the web site of one of the world's biggest vendors of the Unix operating system, a competitor to Microsoft Windows.
The bug's secondary function is to provide its author with a back door to the infected computers, enabling him to access and use them remotely, Albrecht said.

The virus might be linked to spammers — senders of unsolicited email advertisements — since such a back door function can be used to relay spam mails, he pointed out.
The Mydoom virus is set to self-destruct on February 12, but its back door function will work beyond that, Albrecht warned.

AFP

[atokENSEM]

MyDoom worm spreading fast, Sophos warns users to be wary of viral email and hacker attack
Worm creates possessed zombie army to attack SCO website


The MyDoom worm can make a zombie of your computer

Sophos technical support has warned users of the W32/MyDoom-A which is spreading widely across the internet.

The MyDoom worm (also known as Novarg or Mimail-R) spreads via email, using a variety of technical-sounding subject lines and attachment names. If the attached file is launched, and the worm activated, the infected computer's hard disk is harvested by the worm for more email addresses to send itself to. The worm opens a backdoor onto infected computers which allows hackers to gain access.

The worm also spreads via the KaZaA file sharing network, and launches a denial of service (DoS) attack from infected computers (known as "zombies") against SCO's website between 1 and 12 February.

"MyDoom is unlike many other mass-mailing worms we have seen in the past, because it does not try to seduce users into opening the attachment by offering sexy pictures of celebrities or private messages," said Graham Cluley, senior technology consultant for Sophos. "MyDoom can pose as a technical-sounding message, claiming that the email body has been put in an attached file. Of course, if you launch that file you are potentially putting your data and computer straight into the hands of hackers."

"When the MyDoom worm forwards itself via email, it can create its attachment in either Windows executable or Zip file format. It is possible the worm's author did this in an attempt to bypass company filters which try and block EXE files from reaching their users from the outside world," continued Cluley.

Sophos has published a detailed analysis and protection against W32/MyDoom-A. A standalone disinfection utility is also available. Enterprise Manager customers are automatically protected at the time of their next scheduled update.



Download the IDE to protect against W32/MyDoom-A :
www.sophos.com/downloads/ide/mydoom-a.ide

Read about how to use IDE files :
www.sophos.com/support/faqs/usingides.html


Windows 95/98/Me and Windows NT/2000/XP/2003

W32/MyDoom-A can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the following Resolve tools.

Windows disinfector

MYDOOGUI is a disinfector for standalone Windows computers

download MYDOOGUI (http://www.sophos.com/support/cleaners/mydoogui.com)
run it
then click GO.
If you are disinfecting several computers, download it, save it to floppy disk and run it from there.

Command line disinfector

MYDOOSFX.EXE is a self-extracting archive containing MYDOOCLI, a Resolve command line disinfector for use on Windows networks. Read the notes enclosed in the self-extractor for details on running this program.

MYDOOSFX.EXE : www.sophos.com/support/cleaners/mydoosfx.exe

[atokENSEM]

Latest News :


Beginning last night, solution providers and security vendors scrambled to stem the latest major virus outbreak, MyDoom, a virus that many say will have as large an impact as last summer's Sobig worm.MyDoom propagates when a user opens an infected attachment. Once the attached message is opened, the virus will copy itself in the system directory, look for Domain names on the machine and gather e-mail addresses, to start generating a glut of infected e-mail messages to valid recipients. The virus also pieces different names and Domain names together from a user's system to send out infected e-mails.

"The end result is a significant amount of e-mail emitting from infected machines on an ongoing basis," said Craig Schmugar, virus research manager with Network Associates' McAfee Avert Team. "This virus just continuously keeps generating names and sending messages as long as the system is up."

Within four hours of identifying the virus, 27,000 machines were infected, Network Associates said. The amount of infected e-mails received by McAfee's customers range from one in three being infected, to one in eight e-mails being infected, Schmugar said. McAfee, Trend Micro, Sophos and other security vendors released patches for the virus, either last night or this morning, which can be downloaded from the vendors' Web sites.Security solution provider Conqwest sent out an alert last night, and steered its customers to its own Web site or Sophos' and Trend Micro's to download the patch for MyDoom.

"It's crazy because what's happening is this virus is coming in so many different types of executable files and the messages are all different," said Michele Drolet, CEO of Conqwest, Holliston, Mass.

Conqwest also sent out the following warning and explanation to its customers:

"W32/MyDoom-A is a worm which travels by e-mail. The worm harvests e-mail addresses from your hard disk and uses randomly chosen addresses for both the "to" and "from" fields. This means that the "from" address is spoofed and does not tell you where the mail really came from.

"W32/MyDoom-A arrives in e-mails with the following characteristics:

"Subject lines include: error, hello, hi, mail delivery system, mail transaction failed, server report, status, test.

"Attachment names include: body, data, doc, document, file, message, readme, test, and random collection of characters.

"Attachment extensions include: bat, cmd, exe, pif, scr and zip.

"W32/MyDoom-A attaches itself to e-mails in either EXE (Windows program) or ZIP (Zip archive) format.

"W32/MyDoom-A drops itself to your System folder under the name taskmon.exe. W32/MyDoom-A also drops a file named shimgapi.dll, which is a backdoor program loaded by the worm. The backdoor allows outsiders to connect to TCP port 3127 on your computer.

"W32/MyDoom-A adds the value: Taskmon = taskmon.exe to the following registry key: HKLM%5CSoftware%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun

"This means that W32/MyDoom-A loads every time you log on to your computer."

Paul Rohmeyer, partner and COO of Icons, an information security services firm based in North Brunswick, N.J., is similarly telling customers to download security vendors' patches to combat the virus, but is also recommending that customers temporarily block zip files.

"Beyond that, everyone is in a wait-and-see mode as to the real severity of the attack," said Rohmeyer.




Note: Hati2 siapa pakai kazaa

Untuk pengguna AV McAfee sila update pakai ni :



a64.g.akamai.net/7/64/2015/2004-01-25-06-/download.nai.com/products/mcafee-avert/sdat100983b.exe





Norton pi baca sini :

securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

[StRiDeR]

Troj/Myss-C
Aliases
TrojanDownloader.Win32.Donn.r, Downloader-DS

Type
Trojan

Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of this Trojan from the wild.


Description
Troj/Myss-C is a simple Trojan that overwrites the file Windows\Hosts.sam under Windows 95/98/Me, and Windows\System32\Drivers\etc\hosts under Windows NT/2000/XP based systems with '127.0.0.1 localhost'.
Troj/Myss-C will then attempt to download and run the file Sys.exe from teens3.com/dialler/new2/1/m121689.mpg.


Recovery
Please follow the instructions for removing Trojans.

Replace the Hosts file from a backup.

[StRiDeR]

W32/Doomjuice-A
Aliases
W32/Doomjuice.worm.a, W32.HLLW.Doomjuice, WORM_DOOMJUICE.A, Win32.Doomjuice.A, Worm.Win32.Doomjuice

Type
Win32 worm

Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.


Description
W32/Doomjuice-A is a worm which spreads by exploiting a backdoor installed by W32/MyDoom-A.
The worm creates a copy of itself named intrenat.exe in the Windows system folder and creates the following registry entry to ensure that the copy is run when Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Gremlin
= <Windows system folder>\intrenat.exe

The worm also creates a file named sync-src-1.00.tbz in the root, Windows, Windows system and user profile folders. Sync-src-1.00.tbz is a compressed archive containing source code of W32/MyDoom-A.

W32/Doomjuice-A will contact computers infected with W32/MyDoom-A by attempting to connect to port 3127 of randomly chosen IP addresses. If the worm contacts a computer infected with W32/MyDoom-A a copy of W32/Doomjuice-A will be transfered to the computer and executed.

On 9th February and any date thereafter the worm will wait for between 2 and 6 minutes and then attempt a distributed denial of service (DDoS) attack against www.microsoft.com.


Recovery
Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Gremlin= <Windows system folder>\intrenat.exe

and delete it if it exists.

Close the registry editor.

[StRiDeR]

W32/Wukill-B
Aliases
I-Worm.Rays, Win32/Wukill.B, W32.Wullik.B@mm, WORM_WUKILL.B

Type
Win32 worm

Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of this worm from the wild.


Description
W32/Wukill-B is an internet worm which can email itself to contacts found in the Microsoft Outlook address book.
The worm copies itself to the Windows folder as MSTRAY.EXE and creates the following registry entry so that MSTRAY.EXE is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RavTimeXP
= <WINDOWS>\MSTRAY.EXE

The worm may copy itself to the A: floppy drive as Winkill.exe and may also copy itself to the following folders using random filenames consisting of 1-5 characters B-Z with an extension of EXE:
<WINDOWS>\System
<WINDOWS>\Web
<WINDOWS>\Fonts
<WINDOWS>\Temp
<WINDOWS>\Help

W32/Wukill-B may also drop a harmless data file called <WINDOWS>\Winfile.ini and COMMENT.HTT and DESKTOP.INI as hidden, system files in the root folder.

This worm may display the message "Warning. This File Has Been Damage!" upon execution:

W32/Wukill-B may open the File Manager application when executed on the 28th of the month.


Recovery
Please follow the instructions for removing worms.

[Kurt Cobain]

korang pakai scan virus aper erk?kalau pakai mcafee ok ke tak?

[StRiDeR]

Kurt said:

korang pakai scan virus aper erk?kalau pakai mcafee ok ke tak?

byk antivirus leh guna...norton...pc-cilin...panda...f-secure...sophos...emm...x tau lah elok ke tak kau nyer...lau kau nak tau mana satu lebih baik...kau cuba lah satu2 produk antivirus nie...baru lah kau tahu kelebihan dan kekurangan yg ader pada setiap antivirus...

[unikop]

Kurt said:

korang pakai scan virus aper erk?kalau pakai mcafee ok ke tak?

mcafee tak bagus.. pakai norton lagi best.. free updates..

[StRiDeR]

unikop said:

mcafee tak bagus.. pakai norton lagi best.. free updates..

tapi norton x real time scanning...

[StRiDeR]

W32/Deadhat-A
Aliases
Win32.Vesser.A, W32.HLLW.Deadhat, Vesser, W32/Vesser.worm.a

Type
Win32 worm

Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.


Description
W32/Deadhat-A is a worm that spreads via the Soulseek file sharing network and computers infected with W32/MyDoom-A worm.
If the worm detects that it is being debugged it does not spread but attempts to delete the following files:

C:\boot.ini
C:\autoexec.bat
C:\config.sys
C:\Windows\win.ini
C:\Windows\system.ini
C:\Windows\wininit.ini
C:\Winnt\win.ini
C:\Winnt\system.ini
C:\Winnt\wininit.ini.

In order to run automatically when Windows starts up the worm copies
itself to the file sms.exe in the Windows system folder and adds the registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultChk

pointing to the worm binary.

When executed the worm may display a message box:
"Error executing program!"

The worm copies itself to the shared folder of an existing Soulseek installation using the following filenames:

WinXPKeyGen.exe
Windows2003Keygen.exe
mIRC.v6.12.Keygen.exe
Norton.All.Products.KeyMkr.exe
F-Secure.Antivirus.Keymkr.exe
FlashFXP.v2.1.FINAL.Crack.exe
SecureCRTPatch.exe
TweakXPProKeyGenerator.exe
FRUITYLOOPS.SPYWIRE.FIX.EXE
ALL.SERIALS.COLLECTION.2003-2004.EXE
WinRescue.XP.v1.08.14.exe
GoldenHawk.CDRWin.v3.9E.Incl.Keygen.exe
BlindWrite.Suite.v4.5.2.Serial.Generator.exe
Serv-U.allversions.keymaker.exe
WinZip.exe
WinRar.exe
WinAmp5.Crack.exe.

W32/Deadhat-A also attempts to terminate the following security and anti-virus related processes:

_avp
kfp4gui
kfp4ss
zonealarm
Azonealarm
avwupd32
avwin95
avsched32
avnt
avkserv
avgw
avgctrl
avgcc32
ave32
avconsol
apvxdwin
ackwin32
blackice
blackd
dv95
espwatch
esafe
efinet32
ecengine
f-stopw
fp-win
f-prot95
f-prot
fprot
f-agnt95
gibe
iomon98
iface
icsupp
icssuppnt
icmoon
icmon
icloadnt
icload95
ibmavsp
ibmasn
iamserv
iamapp
kpfw32
nvc95
nupgrade
nupdate
normist
nmain
nisum
navw
navsched
navnt
navlu32
navapw32
zapro.

W32/Deadhat-A listens on TCP port 2766. The port may be used to receive
and run file in the temporary folder.

W32/Deadhat-A also has an IRC backdoor component. The worm attempts to connect to one of a list of IRC servers and receives commands that allow a remote attacker control over the infected computer.

W32/Deadhat-A scans network address ranges for ports opened by the W32/MyDoom-A. The worm generates IP addresses of the format a.b.c.d where d is taken from an internal list, c is a random number and the values for a and b are enumerated consecutively starting from 0. If an open port is found, W32/Deadhat-A attempts to copy itself to the remote machine.


Recovery
Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultChk

and delete it if it exists.

Close the registry editor.