W32/Tilebot-AY

Please follow the instructions for removing worms.

W32/Tilebot-AY is a network worm and backdoor Trojan for the Windows platform.

W32/Tilebot-AY spreads by copying itself to network shares protected by weak passwords and by exploiting the following vulnerabilities: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 (MS04-007) W32/Tilebot-AY is a network worm and backdoor Trojan for the Windows platform.

W32/Tilebot-AY spreads by copying itself to network shares protected by weak passwords and by exploiting the following vulnerabilities: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 (MS04-007)

The following patches for the operating system vulnerabilities exploited by W32/Tilebot-AY can be obtained from the Microsoft website:

MS04-011
MS04-012
MS05-039
MS04-007

W32/Tilebot-AY copies itself to <Windows>\cytob.exe and registers itself as a service process named "WindowsSysBoot". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\WindowsSysBoot\

W32/Tilebot-AY allows a remote user to perform a wide range of actions on the infected computer, including:

downloading and executing further files
editing registry entries
capturing network traffic
stealing passwords stored on local disks

W32/Tilebot-AY attempts to terminate the following security services:

Tlntsvr
RemoteRegistry
Messenger
SharedAccess
wscsvc

W32/Tilebot-AY sets the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N

HKLM\SOFTWARE\Microsoft\Security Center\
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center\
FirewallOverride
1

HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1