W32/Tirbot-E

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares Chat programs
Affected operating systems	Windows
Protection available since	5 May 2005 21:12:39 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Tirbot-E is a network worm with backdoor Trojan functionality for the Windows platform.

When run, the worm copies itself to the Windows system folder as xpssl.exe and sets the following registry entry in order to run each time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
IECheck
"<Windows system folder>\xpssl.exe"

The worm may also set the following registry entry:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
""

The backdoor component joins a predetermined IRC channel and awaits further commands from remote users. The backdoor component can then be instructed to perform the following:

take part in distributed denial of service (DDoS) attacks
upload/download files
execute files
serve as a proxy server
harvest information from the system registry
report filesystem information
list running processes
scan for the presence anti-virus software

W32/Tirbot-E enumerates running processes and terminates those with names that contain any of the following:

alevir
bargains
brasil.exe
brasil.pif
instit.bat
marco!.scr
mslagent
msupdate
natal!
natal!.pif
natal.pif
natal.scr
puta
puta!!
puta!.pif
scrsvr
speedy.bat
speedy.pif
speedy.scr
sys32core
teekidz
vbrun6nt
WebRebates
WebRebates1
win32dllz
winmngr
winocx
winocx16
winocx32
winupdate
winupdmgr

The worm also deletes the following registry entries from
HKLM\Software\Microsoft\Windows\CurrentVersion\Run and from
HKCU\Software\Microsoft\Windows\CurrentVersion\Run :

4wd!!!
Alevir
brasil
cronos
ICQ Net
instit
Microsoft Manager
pen1s
putAS!
scrsvr
spees1
spees2
spees3
winconn
Windows Taskbar Manager

The worm may also create copies of itself in the following folders if they exist:

Start Menu\Programs\StartUp
Menu Iniciar\Programas\Iniciar
Menuen Start\Programmer\Start
Menu Avvio\Programmi\Esecuzione automatica
Start-menyn\Program\Autostart
Start-meny\Programmer\Oppstart
Menu Start\Programy\Autostart
Start Menu\Programlar\BASLANGI
Menu Start\Programma's\Opstarten
Menu DTmarrer\Programmes\DTmarrage
Kuynnistu-valikko\Ohjelmat\Kuynnistys
Menu Inicio\Programas\Inicio

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Tirbot-E

Summary

Action

More Information