high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | July 2007 (4.19) |
| Protection available since | 23 May 2007 18:10:15 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Tilebot-JQ is a worm with IRC backdoor Trojan functionality.
W32/Tilebot-JQ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Tilebot-JQ includes functionality to access the internet and communicate with a remote server via HTTP.
W32/Tilebot-JQ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Tilebot-JQ includes functionality to access the internet and communicate with a remote server via HTTP.
When first run W32/Tilebot-JQ copies itself to <Windows>\wault.exe.
The file wault.exe is registered as a new system driver service named "Windows Auto Update Tool", with a display name of "Windows Auto Update Tool" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Windows Auto Update Tool
The file <System>\sfc_os.dll is modified in order to disable the System File Checker. The modified version is detected as Disabled System File Check DLL.
The files <System>\ftp.exe and <System>\tftp.exe are replaced by non-functional versions of those applications.
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d
|
