W32/Tilebot-J

Please follow the instructions for removing worms.

W32/Tilebot-J is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorized remote access to the infected computer via IRC channels.

W32/Tilebot-J spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user. The worm also spreads by exploiting the PnP operating system vulnerability (MS05-039).

W32/Tilebot-J allows a remote user to perform a wide range of actions on the infected computer including downloading further files, setting registry entries and stealing information from the computer including from protected storage areas. W32/Tilebot-J is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorized remote access to the infected computer via IRC channels.

W32/Tilebot-J spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user. The worm also spreads by exploiting the PnP operating system vulnerability (MS05-039).

W32/Tilebot-J copies itself to the Windows folder with the filename netinfo.exe and creates a service named "NETINFO" in order to run itself on system startup, to which it gives the fake description "Internet Info Service." The following registry branches are created:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETINFO\
<several entries>

HKLM\SYSTEM\CurrentControlSet\Services\netinfo\
<several entries>

W32/Tilebot-J allows a remote user to perform a wide range of actions on the infected computer including downloading further files, setting registry entries and stealing information from the computer including from protected storage areas.

W32/Tilebot-J attempts to terminate services with the following names in order to disrupt various security processes including the Windows firewall and Windows critical updates:

Tlntsvr
RemoteRegistry
Messenger
SharedAccess
wscsvc

W32/Tilebot-J attempts to set the following registry entries to disrupt various security processes:

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
AutoUpdate
AUOptions
1

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restictanonymous
1

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAlloxXPSP2
1

HKLM\SOFTWARE\Microsoft\OLE
EnableDCOM
"N"

W32/Tilebot-J may also set entries in the registry at the following locations:

HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout

W32/Tilebot-J attempts to remove network shares from the infected computer, as well as changing the policy for SeNetworkLogonRight for the computer.

W32/Tilebot-J may create the file orans.sys and set up a service for it named ORANS. This file is currently detected Troj/Rootkit-AA. The following registry branches are created:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORANS\
<several entries>

HKLM\SYSTEM\CurrentControlSet\Services\orans\
<several entries>