Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

WORM_DEADHAT.C

Feb 16, 2004 12:52PM PST

Virus type: Worm

Destructive: Yes

Aliases: Win32/HLLW.Vesser.C

This memory-resident worm propagates on systems that are infected with WORM_MYDOOM.A and WORM_MYDOOM.B. It is also capable of spreading via the popular peer-to-peer file-sharing application, SoulSeek.

It has the following capabilities:

Drop itself as the file LMSS.EXE in the C:\WINNT\System32\folder
(Note: This path is hardcoded in the malware code. If this folder does not exist on the system, it fails to drop its copy.)
Enumerate all running processes
Terminate processes associated with antivirus programs
Terminate instances of WORM_MYDOOM.A and WORM_MYDOOM.B
Delete several system files such as BOOT.INI and AUTOEXEC.BAT
Open port 2766, connect to an Internet Relay Chat (IRC) server, and joins a channel to wait for malicious commands from a remote user
It runs on Windows 98, ME, NT, 2000, and XP.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DEADHAT.C

Discussion is locked