Additional Details
System Infection
When Vesser enters a system it copies itself to the the Windows
System Directory as 'sms.exe' and adds the file to the registry as
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KernelFaultChk
Network Propagation
Vesser mainly targets computers that have previously been infected
with the Mydoom.A or Mydoom.B worms. Vesser scans for the backdoors
in those worms on IP addresses. While doing that it connects to
TCP ports 1080. 3127 and 3128 and tries to copy itself there in a
specially-crafted package.
Once it has successfully penetrated a computer it removes the previous
Mydoom infection:
It removes the following registry keys and values:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TaskMon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKCU\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32
The worm terminates processes with names that contain any of the
following strings:
"document"
"readme"
"doc"
"text"
"file"
"data"
"test"
"message"
"body"
"taskmon"
"xsharez_scanner"
"BlackIce_Firewall_Enterpriseactivation_crack"
"zapSetup_95_693"
"MS59-56_hotfix"
"winamp0"
"NessusScan_pro"
"attackXP-6.71"
Propagation Through SoulSeek
If the infected computer has a copy of the SoulSeek file sharing
application the worm copies itself to the shared folder with
different catchy names for users to download:
"WinXPKeyGen.exe"
"Windows2003Keygen.exe"
"mIRC.v6.12.Keygen.exe"
"Norton.All.Products.KeyMkr.exe"
"F-Secure.Antivirus.Keymkr.exe"
"FlashFXP.v2.1.FINAL.Crack.exe"
"SecureCRTPatch.exe"
"TweakXPProKeyGenerator.exe"
"FRUITYLOOPS.SPYWIRE.FIX.EXE"
"ALL.SERIALS.COLLECTION.2003-2004.EXE"
"WinRescue.XP.v1.08.14.exe"
"GoldenHawk.CDRWin.v3.9E.Incl.Keygen.exe"
"BlindWrite.Suite.v4.5.2.Serial.Generator.exe"
"Serv-U.allversions.keymaker.exe"
"WinZip.exe"
"WinRar.exe"
"WinAmp5.Crack.exe"
Termination of Security Software
Vesser has a long list of processes that it tries to terminate if
found running in the memory:
"_avp"
"kfp4gui"
"kfp4ss"
"zonealarm"
"Azonealarm"
"avwupd32"
"avwin95"
"avsched32"
"avp"
"avnt"
"avkserv"
"avgw"
"avgctrl"
"avgcc32"
"ave32"
"avconsol"
"apvxdwin"
"ackwin32"
"blackice"
"blackd"
"dv95"
"espwatch"
"esafe"
"efinet32"
"ecengine"
"f-stopw"
"frw"
"fp-win"
"f-prot95"
"f-prot"
"fprot"
"f-agnt95"
"gibe"
"iomon98"
"iface"
"icsupp"
"icssuppnt"
"icmoon"
"icmon"
"icloadnt"
"icload95"
"ibmavsp"
"ibmasn"
"iamserv"
"iamapp"
"kpfw32"
"nvc95"
"nupgrade"
"nupdate"
"normist"
"nmain"
"nisum"
"navw"
"navsched"
"navnt"
"navlu32"
"navapw32"
"zapro"
Remote Update Feature
Once the worm has activated it opens TCP port 2766 and awaits for
clients. Connecting clients must be authenticated with a crypto key.
If the authentication is successful the backdoor accepts a file for
upload and executes it on the system.
IRC Backdoor
The IRC backdoor component connects to a predefined IRC server and
listens on a specific channel for commands from the author.
The backdoor supports different commands to download and execute
arbitrary programs on the infected computer.
Detection
Detection in F-Secure Anti-Virus was published on February 7th, 2004 in
update:
[FSAV_Database_Version]
Version=2004-02-07_1
Write-up:
Gergely Erdelyi, February 9th, 2004;