W32/Tilebot-D

Please follow the instructions for removing worms.

W32/Tilebot-D is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorized remote access to the infected computer via IRC channels.

W32/Tilebot-D spreads to network shares and Microsoft SQL servers with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Tilebot-D allows a remote user to perform a wide range of actions on the infected computer including downloading further files, setting registry entries and stealing information from the computer including from protected storage areas. W32/Tilebot-D is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorized remote access to the infected computer via IRC channels.

W32/Tilebot-D spreads to network shares and Microsoft SQL servers with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Tilebot-D copies itself to the Windows folder with the filename FREPDLL.EXE and creates a service named "frepdll.exe" in order to run itself on system startup, to which it gives the fake description "ET dll Locator tool".

W32/Tilebot-D allows a remote user to perform a wide range of actions on the infected computer including downloading further files, setting registry entries and stealing information from the computer including from protected storage areas.

W32/Tilebot-D attempts to terminate services with the following names in order to disrupt various security processes including the Windows firewall and Windows critical updates:

Tlntsvr
RemoteRegistry
Messenger
SharedAccess
wscsvc

W32/Tilebot-D attempts to set the following registry entries to disrupt various security processes:

HKLM\SOFTWARE\Microsoft\Security Center\
UpdatesDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center\
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center\
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center\
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center\
FirewallOverride
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
EnableFirewall
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
AutoUpdate\
AUOptions
1

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr\
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\Messenger\
Start
4

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restictanonymous
1

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\
AutoShareServer
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
DoNotAlloxXPSP2
1

HKLM\SOFTWARE\Microsoft\OLE\
EnableDCOM
N

W32/Tilebot-D may also set entries in the registry at the following location:

HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout

W32/Tilebot-D attempts to remove network shares from the infected computer, as well as changing the policy for SeNetworkLogonRight for the computer.

W32/Tilebot-D may attempt to contact scripts at the following addresses:

http://cgi14.plala.or.jp
http://hpcgi1.nifty.com
http://www.age.ne.jp
http://www.kinchan.net
http://www2.dokidoki.ne.jp
http://yia.s22.xrea.com

W32/Tilebot-D may attempt to drop the file MONDV.SYS and set up a service for it named MONDRV. This file is currently detected Troj/Rootkit-Z.