high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 21 September 2005 04:26:09 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Tilebot-S.
More Information
W32/Tilebot-S is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Tilebot-S spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Tilebot-S copies itself to the Windows folder with the filename taskcntr.exe and registers itself as a service process named "TESV" with the display name "TASKESV". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\TESV
W32/Tilebot-S allows a remote user to perform a wide range of actions on the infected computer including downloading further files, setting registry entries and stealing information from the computer including from protected storage areas.
W32/Tilebot-S attempts to terminate services with the following names in order to disrupt various security processes including the Windows firewall and Windows critical updates:
Tlntsvr
RemoteRegistry
Messenger
SharedAccess
wscsvc
W32/Tilebot-S attempts to set the following registry entries to disrupt various security processes:
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
AutoUpdate
AUOptions
1
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restictanonymous
1
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAlloxXPSP2
1
HKLM\SOFTWARE\Microsoft\OLE
EnableDCOM
"N"
W32/Tilebot-S may also set entries in the registry at the following locations:
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
W32/Tilebot-S attempts to remove network shares from the infected computer, as well as changing the policy for SeNetworkLogonRight for the computer.
W32/Tilebot-S may attempt to contact scripts at the following addresses:
http://cgi14.plala.or.jp
http://hpcgi1.nifty.com
http://www.age.ne.jp
http://www.kinchan.net
http://www2.dokidoki.ne.jp
http://yia.s22.xrea.com
W32/Tilebot-S may create the file remon.sys and set up a service for it named REMON. This file is currently detected Troj/RKFu-A. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\remon
Sophos's anti-virus products include Genotype™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Tilebot-S (detected as W32/Tilebot-Gen) since version 3.96.
|
