Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

W32/Deadhat-A

Feb 10, 2004 2:46AM PST

Aliases
Win32.Vesser.A, W32.HLLW.Deadhat, Vesser, W32/Vesser.worm.a

Type
Win32 worm

Description
W32/Deadhat-A is a worm that spreads via the Soulseek file sharing network and computers infected with W32/MyDoom-A worm.
If the worm detects that it is being debugged it does not spread but attempts to delete the following files:

C:\boot.ini
C:\autoexec.bat
C:\config.sys
C:\Windows\win.ini
C:\Windows\system.ini
C:\Windows\wininit.ini
C:\Winnt\win.ini
C:\Winnt\system.ini
C:\Winnt\wininit.ini.

In order to run automatically when Windows starts up the worm copies
itself to the file sms.exe in the Windows system folder and adds the registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultChk

pointing to the worm binary.


MORE: http://www.sophos.com/virusinfo/analyses/w32deadhata.html

Discussion is locked