W32/Tilebot-B

Please follow the instructions for removing worms.

W32/Tilebot-B is a worm that attempts to spread to remote network shares. It also contains backdoor functionality, allowing unauthorized remote access to the infected computer via IRC channels.

W32/Tilebot-B spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Tilebot-B allows a remote user to perform a wide range of actions on the infected computer including downloading further files, setting registry entries and stealing information from the computer including from protected storage areas.

W32/Tilebot-B attempts to interfere with and disable certain security related processes. W32/Tilebot-B is a worm that attempts to spread to remote network shares. It also contains backdoor functionality, allowing unauthorized remote access to the infected computer via IRC channels.

W32/Tilebot-B spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Tilebot-B copies itself to the Windows folder with the filename tsecure.exe and creates a service named "tsecure" in order to run itself on system startup, to which it gives the fake description "Terminal Security".

W32/Tilebot-B allows a remote user to perform a wide range of actions on the infected computer including downloading further files, setting registry entries and stealing information from the computer including from protected storage areas.

W32/Tilebot-B attempts to terminate services with the following names in order to disrupt various security processes including the Windows firewall and Windows critical updates:

Tlntsvr
RemoteRegistry
Messenger
SharedAccess
wscsvc

W32/Tilebot-B attempts to set the following registry entries to disrupt various security processes:

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
AutoUpdate
AUOptions
1

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restictanonymous
1

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAlloxXPSP2
1

HKLM\SOFTWARE\Microsoft\OLE
EnableDCOM
"N"

W32/Tilebot-B may also set entries in the registry at the following locations:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
MeltMe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Installed Time

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Record

HKLM\SYSTEM\CurrentControlSet\Control
WaitToKillServiceTimeout

W32/Tilebot-B attempts to remove network shares from the infected computer, as well as changing the policy for SeNetworkLogonRight for the computer.

W32/Tilebot-B may attempt to contact scripts hosted on the following domains:

cgi14.plala.or.jp
hpcgi1.nifty.com
www.age.ne.jp
www.kinchan.net
www2.dokidoki.ne.jp
yia.s22.xrea.com

W32/Tilebot-B may attempt to drop the file RDRIV.SYS and set up a service for it named RDRIV. This file is currently detected by Sophos's anti-virus products as Troj/Rootkit-W.