Date: February 13, 2004

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Hold On To Your Hats - WORM_DEADHAT.B (Low Risk)
3. Top 10 Most Prevalent Global Malware
4. Tips and Best Practices for Safe Computing

1. Trend Micro Updates - Pattern File and Scan Engine Updates

PATTERN FILE: 765 
SCAN ENGINE: 6.810 


2. Hold On To Your Hats - WORM_DEADHAT.B (Low Risk) 
WORM_DEADHAT.B is a destructive, memory-resident worm that is currently spreading in-the-
wild. It propagates on systems that are infected with WORM_MYDOOM.A and WORM_MYDOOM.B, 
and is capable of spreading via the peer-to-peer file-sharing application, SoulSeek. 
WORM_DEADHAT.B has the capability to drop itself as a file in the Windows folder, enumerate all 
running processes, terminate processes associated with antivirus programs, delete several system 
files, and connect to an Internet Relay Chat (IRC) server and wait for commands from a remote 
user. It runs on Windows 95, 98, ME, NT, 2000, and XP.
Upon execution, this virus drops a copy of itself as MSGSVR32.EXE in the Windows system folder, 
and creates a registry entry that allows it to execute at every system startup.
To propagate, this worm scans random IP addresses for infected systems at certain ports. These 
ports are opened by a backdoor component of the MYDOOM worm, which allows remote users to 
access the machines. It sends a command that causes the MYDOOM backdoor component to 
automatically upload its copy to the systems. It also can spread via SoulSeek, a peer-to-peer file-
sharing application, by retrieving the shared folder and querying a registry key. It then drops a 
copy of itself in the shared folder using any of 17 specific names.
This malware’s backdoor routine opens a port and listens for commands from a remote user. It 
also connects to an Internet Relay Chat (IRC) server and joins a channel where it listens for 
commands that could allow a remote user to execute malicious actions.
The worm enumerates all running processes and terminates processes associated with antivirus 
programs. It also terminates instances of WORM_MYDOOM.A and WORM_MYDOOM.B in memory 
by terminating specific processes, and deletes registry entries which are added by these two 
MYDOOM variants.
It may also delete teh following files:
C:\BOOT.INI 
C:\AUTOEXEC.BAT 
C:\CONFIG.SYS 
C:\Windows\WIN.INI 
C:\Windows\SYSTEM.INI 
C:\Windows\WININIT.INI 
C:\WINNT\WIN.INI 
C:\WINNT\SYSTEM.INI 
C:\WINNT\WININIT.INI 
The following internal text strings are embedded within this worm’s code:
Well, show me the way, To the next whiskey bar,
Oh, don't ask why, Oh, don't ask why,
Show me the way, To the next whiskey bar,
Oh, don't ask why, Oh, don't ask why,
For if we don't find, The next whiskey bar,
I tell you we must die, I tell you we must die,
I tell you, I tell you, I tell you we must die,
Oh, moon of Alabama, We now must say goodbye,
We've lost our good old mama,
And must have whiskey, oh, you now why,
Oh, moon of Alabama,
We now must say goodbye,
We've lost our good old mama,
And must have whiskey, oh, you now why,
Well, show me the way, To the next little girl,
Oh, don't ask why, Oh, don't ask why,
Show me the way, To the next little girl,
Oh, don't ask why, Oh, don't ask why,
For if we don't find, The next little girl,
I tell you we must die, I tell you we must die,
I tell you, I tell you, I tell you we must die,
Oh, moon of Alabama, We now must say goodbye,
We've lost our good old mama,
And must have whiskey, oh, you now why. 
If you would like to scan your computer for WORM_DEADHAT.B or thousands of other worms, 
viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: 
http://housecall.trendmicro.com
WORM_DEADHAT.B is detected and cleaned by Trend Micro pattern file #762 and above. 


3. Top 10 Most Prevalent Global Malware
(from February 5, 2004 to February 12, 2004)
WORM_MYDOOM.A 
WORM_NACHI.A 
PE_FUNLOVE.4099 
WORM_LOVGATE.F 
PE_VALLA.A 
WORM_SOBIG.F 
WORM_MOFEI.B 
WORM_KLEZ.H 
PE_NIMDA.E 
WORM_LOVGATE.G 


4. Tips and Best Practices for Safe Computing
To reduce the risk of virus infections, and reduce the possibility of inadvertently triggering or 
spreading viruses to other people, you can make use of some easily implemented "safe 
computing" practices. 
These safe computing tips and best practices for Windows 95/98, Me, XP, and 2000 can increase 
the security of your computer system, and help make your computer less prone to malicious code 
attacks.
Read the Safe Computing Guide




For questions, comments, and suggestions about the Weekly Virus Report please contact the 
Newsletters Editor at newsletters@trendmicro.com.



This message was sent by Trend Micro's Newsletters Editor using Responsys Interact 
(TM).
Click here if you prefer not to receive future e-mail from Trend Micro's Newsletters 
Editor.
Click here to view our permission marketing policy.