high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 7 July 2005 21:26:06 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.
In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
lsass
<System>\lsasrv.exe
and delete it if it exists.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
it should contain a reference to explorer.exe (or possibly NALWIN32.exe if you are using NetWare) only. Remove any reference to any file you deleted. You may need to replace the reference to explorer.exe.
Close the registry editor.
More Information
W32/Tame-A is a worm that attempts to spread by email and peer-to-peer applications.
W32/Tame-A drops the worm W32/MyDoom-M and uses this to spread itself by email. Please see the description for W32/MyDoom-M for characteristics of the emails sent.
W32/Tame-A attempts copy itself to shared folders for the KaZaa, Morpheus, iMesh, eDonkey and LimeWire peer-to-peer applications.
When first run the worm opens a data file "Me^sa~e#4%" with the Notepad application. W32/Tame-A is a worm that attempts to spread by email and peer-to-peer applications.
W32/Tame-A drops the worm W32/MyDoom-M and uses this to spread itself by email. Please see the description for W32/MyDoom-M for characteristics of the emails sent.
W32/Tame-A attempts copy itself to shared folders for the KaZaa, Morpheus, iMesh, eDonkey and LimeWire peer-to-peer applications.
When first run the worm opens a data file "Me^sa~e#4%" with the Notepad application.
W32/Tame-A attempts to disable various security and firewall products. The worm also modifies the system HOSTS file in order to prevent access to certain websites.
When first run W32/Tame-A copies itself to <System>\lsasrv.exe and creates the following files:
<Temp>\Me^sa~e#4%
<Temp>\Mesa~e#4.txt
<System>\iexplor.dll
<System>\shlapiw.dll
<System>\version.ini
The file iexplor.dll is detected as W32/MyDoom-M.
The file shlapiw.dll is detected as Troj/HideProc-F.
The following registry entry is created to run lsasrv.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
lsass
<System>\lsasrv.exe
The worm also adds itself to the value of the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
|
