Sophos

W32/Tilebot-KG

Aliases
  • Backdoor.Win32.SdBot.bti
  • W32/Sdbot.worm.gen.ca
  • WORM_SDBOT.FEJ
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
  • Chat programs
Affected operating systems Windows
Characteristics
  • Drops more malware
  • Installs itself in the registry
Protection available since 10 September 2007 22:50:06 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Tilebot-KG is a worm with backdoor functionality for the Windows platform.

W32/Tilebot-KG spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), RealVNC (CVE-2006-2369) and ASN.1 (MS04-007). The worm may also spreads via network shares protected by weak passwords and via MSN messenger.

W32/Tilebot-KG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Tilebot-KG includes functionality to:

- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- start a remote shell (RLOGIN)
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks

W32/Tilebot-KG is a worm with backdoor functionality for the Windows platform.

W32/Tilebot-KG spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), RealVNC (CVE-2006-2369) and ASN.1 (MS04-007). The worm may also spreads via network shares protected by weak passwords and via MSN messenger.

W32/Tilebot-KG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Tilebot-KG includes functionality to:

- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- start a remote shell (RLOGIN)
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks

When first run W32/Tilebot-KG copies itself to the Windows folder as wdfmgr.exe and creates the following file:

<Windows>Z058_jpg.zip (also detected as W32/Tilebot-KG)

W32/Tilebot-KG can be ordered to spread via MSN with one of many messages, for example:

'looooook :p'
'loooooooooooool :D'
'lol he looks weird on this photo'
'omg check this out man this is funny'
'lol you got to see this'

The attachment will be the file Z058_jpg.zip

W32/Tilebot-KG attempts to disable the system file checker by modifying sfc_os.dll or sfc.dll and setting the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

SFCDisable

ffffff9d

The modified sfc_os.dll or sfc.dll is detected as "Disabled System File Check DLL".

W32/Tilebot-KG replaces the following files with a program that does nothing.

<System>\ftp.exe
<System>\tftp.exe

The original version of sfc_os.dll or sfc.dll is copied to \trash<random number>.

The original version of ftp.exe is copied to <System>\Microsoft\backup.ftp.

The original version of tftp.exe is copied to <System>\Microsoft\backup.tftp.

W32/Tilebot-KG may set the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4

Additional registry entries may also be set as follows:

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer