W32/Tilebot-GS

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Tilebot-GS.

W32/Tilebot-GS is a worm and IRC backdoor for the Windows platform.

W32/Tilebot-GS spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

W32/Tilebot-GS runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Tilebot-GS includes functionality to access the internet and communicate with a remote server via HTTP.

Sophos's anti-virus products include Genotype™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Tilebot-GS (detected as W32/Tilebot-Gen) since version 3.97

The following patches for the vulnerabilities exploited by W32/Tilebot-GS are available from Microsoft:
MS03-049
MS04-007
MS04-011
MS04-012
MS05-039 W32/Tilebot-GS is a worm and IRC backdoor for the Windows platform.

W32/Tilebot-GS spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

W32/Tilebot-GS runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Tilebot-GS includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Tilebot-GS copies itself to <Windows folder>\nvidcgui.exe and creates the file <Windows system folder>\remon.sys.

The file remon.sys is detected as Troj/RKFu-A.

The file nvidcgui.exe is registered as a new system driver service named "pxlmdl", with a display name of "PixelModule" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\pxlmdl\

The file remon.sys is registered as a new system driver service named "remon", with a display name of "remon". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\remon\

The following registry entries are set, disabling the registry editor (regedit) and the Windows task manager (taskmgr):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

W32/Tilebot-GS sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\

Sophos's anti-virus products include Genotype™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Tilebot-GS (detected as W32/Tilebot-Gen) since version 3.97

The following patches for the vulnerabilities exploited by W32/Tilebot-GS are available from Microsoft:
MS03-049
MS04-007
MS04-011
MS04-012
MS05-039