W32/Tzet-A

Please follow the instructions for removing worms.

Please follow the instructions for removing worms.

W32/Tzet-A exploits weak network security. If W32/Tzet-A has spread over your network you should check permissions and passwords.

Windows NT/2000/XP

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WUPD

and delete it if it exists.

Close the registry editor.

W32/Tzet-A is a network worm. When run the worm creates the following files in the folder C:\<Windows>\System32:

AUTHEXEC.BAT
A batch file used by the worm and detected by this identity

IGLMTRAY.EXE
A Trojan detected by Sophos Anti-Virus as Troj/Flood-DP

IGLXTRAY.EXE
A Trojan detected by Sophos Anti-Virus as Troj/Flood-DP

LRSS.INI
A mIRC configuration file used by the worm

MDDE32.EXE
A clean utility for terminating processes

NNA.EXE
A Trojan downloaded by W32/Tzet-A. Nna.exe is detected by Sophos Anti-Virus as Troj/Apher-H.

PRINTF_CORE.EXE
A Trojan detected by Sophos Anti-Virus as Troj/Delsha-C

VIDRIV.EXE
A clean utility to hide/show windows

WMPT.EXE
A clean utility called PSExec

WSUBSYS.WAV
The main component of the worm

XCOPY.DLL
A text file containing a list of IP domains

The worm adds the following registry entry to run the file iglmtray.exe when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WUPD

W32/Tzet-A searches the local network for computers with weak or no passwords on the administrator or admin accounts to which it can copy itself.