W32/Tilebot-ET

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares Chat programs Peer-to-peer
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	17 May 2006 10:22:54 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Tilebot-ET is a worm and IRC backdoor Trojan for the Windows platform.

W32/Tilebot-ET runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Tilebot-ET includes functionality to access the internet and communicate with a remote server via HTTP.

W32/Tilebot-ET spreads:

- via file sharing on P2P networks
- via instant messenger networks, including AIM and ICQ
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), ASN.1 (MS04-007) and IMAIL Server
- via shares with weak passwords

When first run W32/Tilebot-ET copies itself to \asus.exe.

The file asus.exe is registered as a new system driver service named "Asus", with a display name of "Asus Motherboard Utility" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Asus\

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Tilebot-ET

Summary

Action

More Information