high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 7 October 2005 17:14:29 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Tilebot-AA.
More Information
W32/Tilebot-AA is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorized remote access to the infected computer via IRC channels.
W32/Tilebot-AA spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Tilebot-AA allows a remote user to perform a wide range of actions on the infected computer including downloading further files, setting registry entries and stealing information from the computer including from protected storage areas.
Sophos's anti-virus products include Genotype™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Tilebot-AA (detected as W32/Tilebot-Gen) since version 3.96. W32/Tilebot-AA is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorized remote access to the infected computer via IRC channels.
W32/Tilebot-AA spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user. The worm can spread to unpatched computers vulnerable to the following exploits:
ASN.1 (MS04-007)
LSASS (MS04-011)
PNP (MS05-039)
RPC-DCOM (MS04-012)
WKS (MS03-049) (CAN-2003-0812)
W32/Tilebot-AA copies itself to the Windows folder with the filename yimsgr.exe and creates a service named "AOL Instant Messenger" with a start up type of automatic, causing the service to be run each time Windows starts.
W32/Tilebot-AA allows a remote user to perform a wide range of actions on the infected computer including downloading further files, setting registry entries and stealing information from the computer including from protected storage areas.
W32/Tilebot-AA attempts to terminate services with the following names in order to disrupt various security processes including the Windows firewall and Windows critical updates:
Tlntsvr
RemoteRegistry
Messenger
SharedAccess
wscsvc
W32/Tilebot-AA attempts to set the following registry entries to disrupt various security processes:
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
AutoUpdate
AUOptions
1
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restictanonymous
1
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAlloxXPSP2
1
HKLM\SOFTWARE\Microsoft\OLE
EnableDCOM
"N"
W32/Tilebot-AA may also set entries in the registry at the following locations:
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
W32/Tilebot-AA attempts to remove network shares from the infected computer, as well as changing the policy for SeNetworkLogonRight for the computer.
W32/Tilebot-AA may attempt to contact scripts at the following addresses:
http://cgi14.plala.or.jp
http://hpcgi1.nifty.com
http://www.age.ne.jp
http://www.kinchan.net
http://www2.dokidoki.ne.jp
http://yia.s22.xrea.com
W32/Tilebot-AA creates the file pex.sys and sets up a service for it named PEX. This file is currently detected Troj/RKFu-A.
The following registry entries are created as a result of registering the system services:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AOL_INSTANT_MESSENGER
<several entries>
HKLM\SYSTEM\CurrentControlSet\Services\AOL Instant Messenger
<several entries>
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PEX
<several entries>
HKLM\SYSTEM\CurrentControlSet\Services\pex
<several entries>
Sophos's anti-virus products include Genotype™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Tilebot-AA (detected as W32/Tilebot-Gen) since version 3.96.
|
