high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 6 November 2005 03:42:26 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Tilebot-AS is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Tilebot-AS spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Tilebot-AS copies itself to the Windows folder with the filename pcryptv3.exe and registers itself as a service process named "pcryptv3". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\pcryptv3
W32/Tilebot-AS allows a remote user to perform a wide range of actions on the infected computer including downloading further files, setting registry entries and stealing information from the computer including from protected storage areas.
W32/Tilebot-AS attempts to terminate services with the following names in order to disrupt various security processes including the Windows firewall and Windows critical updates:
Tlntsvr
RemoteRegistry
Messenger
SharedAccess
wscsvc
W32/Tilebot-AS attempts to set the following registry entries to disrupt various security processes:
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
AutoUpdate
AUOptions
1
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restictanonymous
1
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAlloxXPSP2
1
HKLM\SOFTWARE\Microsoft\OLE
EnableDCOM
"N"
W32/Tilebot-AS may also set entries in the registry at the following locations:
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
W32/Tilebot-AS attempts to remove network shares from the infected computer, as well as changing the policy for SeNetworkLogonRight for the computer.
W32/Tilebot-AS may attempt to contact scripts on remote sites.
W32/Tilebot-AS may create the file rdriv.sys and set up a service for it named RDRIV. This file is currently detected Troj/Rootkit-W. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\rdriv
|
