W32/Tilebot-DL

Please follow the instructions for removing worms.

W32/Tilebot-DL is a worm for the Windows platform.

W32/Tilebot-DL runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Tilebot-DL spreads to other network computers by exploiting common buffer overflow vulnerabilities, including LSASS (MS04-011), RPC-DCOM (MS04-012) and ASN.1 (MS04-007) and copying itself to network shares protected by weak passwords.

W32/Tilebot-DL includes functionality to access the internet and communicate with a remote server via HTTP. W32/Tilebot-DL is a worm for the Windows platform.

W32/Tilebot-DL runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Tilebot-DL spreads to other network computers by exploiting common buffer overflow vulnerabilities, including LSASS (MS04-011), RPC-DCOM (MS04-012) and ASN.1 (MS04-007) and copying itself to network shares protected by weak passwords.

W32/Tilebot-DL includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Tilebot-DL copies itself to <System>\SAMSvc.exe.

The file SAMSvc.exe is registered as a new system driver service named "SAMSvc", with a display name of "Security Account Manager" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\SAMSvc\

The following registry entry is set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions
bah1
<pathname of the worm executable>

The following registry entries may be modified:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\