W32/Deadhat-B is a worm that spreads via the SoulSeek file sharing network and computers infected with the W32/MyDoom worm.
W32/Deadhat-B creates a copy of itself in the system folder with the filename msgsrv32.exe and sets the following registry entry so that the worm is run when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msgsrv32
The worm copies itself to the shared folder of an existing SoulSeek installation using the following filenames:
WinXPKeyGen.exe
Windows2003Keygen.exe
mIRC.v6.12.Keygen.exe
Norton.All.Products.KeyMkr.exe
F-Secure.Antivirus.Keymkr.exe
FlashFXP.v2.1.FINAL.Crack.exe
SecureCRTPatch.exe
TweakXPProKeyGenerator.exe
FRUITYLOOPS.SPYWIRE.FIX.EXE
ALL.SERIALS.COLLECTION.2003-2004.EXE
WinRescue.XP.v1.08.14.exe
GoldenHawk.CDRWin.v3.9E.Incl.Keygen.exe
BlindWrite.Suite.v4.5.2.Serial.Generator.exe
Serv-U.allversions.keymaker.exe
WinZip.exe
WinRar.exe
WinAmp5.Crack.exe
W32/Deadhat-B has a backdoor component listening on TCP port 2766.
W32/Deadhat-B also has an IRC backdoor component. The worm attempts to connect to one of a list of IRC servers and receives commands that allow a remote attacker control over the infected computer via this channel.
W32/Deadhat-B scans network address ranges for ports opened by the W32/MyDoom worm and will attempt to copy itself to compromised machines.
The worm may attempt to delete the following files:
C:\boot.ini
C:\autoexec.bat
C:\config.sys
C:\Windows\win.ini
C:\Windows\system.ini
C:\Windows\wininit.ini
C:\Winnt\win.ini
C:\Winnt\system.ini
C:\Winnt\wininit.ini
W32/Deadhat-B also attempts to terminate the following system monitoring and anti-virus related processes:
_avp
kfp4gui
kfp4ss
zonealarm
Azonealarm
avwupd32
avwin95
avsched32
avnt
avkserv
avgw
avgctrl
avgcc32
ave32
avconsol
apvxdwin
ackwin32
blackice
blackd
dv95
espwatch
esafe
efinet32
ecengine
f-stopw
fp-win
f-prot95
f-prot
fprot
f-agnt95
gibe
iomon98
iface
icsupp
icssuppnt
icmoon
icmon
icloadnt
icload95
ibmavsp
ibmasn
iamserv
iamapp
kpfw32
nvc95
nupgrade
nupdate
normist
nmain
nisum
navw
navsched
navnt
navlu32
navapw32
zapro