W32/Tiotua-G

Category:	Viruses and Spyware	Protection available since:	11 Apr 2007 00:00:00 (GMT)
Type:	Win32 worm	Last Updated:	11 Apr 2007 00:00:00 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Tiotua-G is a worm for the Windows platform.

W32/Tiotua-G spreads by copying itself to mapped disk drives and removable storage devices.

When run, the worm opens various programs like Notepad, Solitaire, Pinball, Windows Media Player etc. It also tries to open and close the CD drive. It pretends to select and delete all shortcuts on the Desktop. After this it displays a fake message "The 'USB Mass Storage Device' device can now be safely removed from the system." and forces a reboot.

W32/Tiotua-G creates a number of WIndows Schedules Tasks to run itself at various times everyday.

W32/Tiotua-G is a worm for the Windows platform.

W32/Tiotua-G spreads by copying itself to mapped disk drives and removable storage devices.

When W32/Tiotua-G is installed, it copies itself to all mapped drives as TinyVirusCleaner.exe and creates the following files:

<Root>\autorun.inf
<Root>\pantun teka teki.txt
<Windows>\Tempt\talk.bat

The following registry entry is created to run talk.bat on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
talk
<Windows>\Tempt\talk.bat

All the above text files are harmless and can be deleted.

The worm then opens various programs like Notepad, Solitaire, Pinball, Windows Media Player etc. It also tries to open and close the CD drive. It pretends to select and delete all shortcuts on the Desktop. After this it displays a fake message "The 'USB Mass Storage Device' device can now be safely removed from the system." and forces a reboot.

W32/Tiotua-G creates a number of WIndows Schedules Tasks to run itself at various times everyday.

W32/Tiotua-G changes settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page

The following registry entries are set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1

Registry entries are also set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoViewContextMenu
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoViewContextMenu
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ Hidden\SHOWALL
CheckedValue
0

Try Sophos products for free
Download now

W32/Tiotua-G

Free Mac Anti-Virus

Popular topics