W32/Tzet-B is a network worm.
W32/Tzet-B searches the local network for computers with weak or no passwords on the administrator or admin accounts to which it can copy itself.
W32/Tzet-B is a network worm. When run the worm creates the following files in the folder C:\<Windows>\System32:
AUTHEXEC.BAT - A batch file used by the worm and detected as W32/Tzet-A.
IGLMTRAY.EXE - Detected by Sophos Anti-Virus as Troj/Flood-DP
IGLXTRAY.EXE - Detected by Sophos Anti-Virus as Troj/Flood-DP
LRSS.INI - A mIRC config file used by the worm and detected as W32/Tzet-A.
MDDE32.EXE - A clean utility for terminating processes.
NNA.EXE - A Trojan downloaded detected bp Sophos Anti-Virus as Troj/Apher-H.
PRINTF_CORE.EXE - Detected by Sophos Anti-Virus as Troj/Delsha-C
VIDRIV.EXE - A clean utility to hide/show windows.
WMPT.EXE - A clean utility called PSExec.
WSUBSYS.WAV - The main component of this worm.
XCOPY.DLL - A text file containing a list of IP domains.
The worm adds the following registry entry to run the file iglmtray.exe when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WUPD
W32/Tzet-B searches the local network for computers with weak or no passwords on the administrator or admin accounts to which it can copy itself.