W32/Tompai-A is a virus with backdoor functionality for the Windows platform, which spreads via network shares.
The virus creates three copies of itself in the Windows system folder. One copy is named mainsv.exe. The others are randomly chosen from the following pairs of names:
loadms.exe & loadmsnt.exe
cmpku.exe & cmpkunt.exe
netcompt.exe & netcomptnt.exe
ptsnopt.exe & ptsnoptnt.exe
ntdllf.exe & ntdllfnt.exe
The virus also infects exe files on the local hard disk and creates copies of itself with the following names:
the_matrix.scr
mario_2.pif
matrix_desktop.pif
mp3_convert.pif
Zsnes_win.pif
VRMLpad_crack.pif
matrix3Dsetup.pif
Dx_ball2_Setup.pif
Crack_tools.exe
In order to ensure that the virus is run each time Windows starts W32/Tompai-A adds the registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cmpnt.
The backdoor functionality of the virus allows a remote attacker access to the infected computer.
Hidden inside the worm is a piece of text which does not get displayed:
phantompain