high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 30 October 2008 18:24:28 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Tiotua-W is a Trojan for the Windows platform.
W32/Tiotua-W includes functionality to access the internet and communicate with a remote server via HTTP.
When first run W32/Tiotua-W. copies itself to:
<Windows>\gphone.exe
<System>\gphone.exe
and creates the file <System>\autorun.ini.
The file autorun.ini is detected as W32/Sohana-BI.
The following registry entry is created to run gphone.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo Messengger
<System>\gphone.exe
The following registry entry is changed to run gphone.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe gphone.exe
W32/Tiotua-W changes settings for Microsoft Internet Explorer by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
The following registry entry is set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NofolderOptions
1
W32/Tiotua-W would have been detected by the following HIPs rules:
HIPS/FileMod-001
HIPS/RegMod-012
HIPS/RegMod-002
HIPS/RegMod-009
|
