W32/Tiotua-G

Aliases	IM-Worm.Win32.Sohanad.ak
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Removable storage devices
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	July 2007 (4.19)
Protection available since	11 April 2007 12:22:38 (GMT)
Last updated	14 May 2007 13:11:25 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Tiotua-G is a worm for the Windows platform.

W32/Tiotua-G spreads by copying itself to mapped disk drives and removable storage devices.

When run, the worm opens various programs like Notepad, Solitaire, Pinball, Windows Media Player etc. It also tries to open and close the CD drive. It pretends to select and delete all shortcuts on the Desktop. After this it displays a fake message "The 'USB Mass Storage Device' device can now be safely removed from the system." and forces a reboot.

W32/Tiotua-G creates a number of WIndows Schedules Tasks to run itself at various times everyday.

W32/Tiotua-G is a worm for the Windows platform.

W32/Tiotua-G spreads by copying itself to mapped disk drives and removable storage devices.

When W32/Tiotua-G is installed, it copies itself to all mapped drives as TinyVirusCleaner.exe and creates the following files:

<Root>\autorun.inf
<Root>\pantun teka teki.txt
<Windows>\Tempt\talk.bat

The following registry entry is created to run talk.bat on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
talk
<Windows>\Tempt\talk.bat

All the above text files are harmless and can be deleted.

The worm then opens various programs like Notepad, Solitaire, Pinball, Windows Media Player etc. It also tries to open and close the CD drive. It pretends to select and delete all shortcuts on the Desktop. After this it displays a fake message "The 'USB Mass Storage Device' device can now be safely removed from the system." and forces a reboot.

W32/Tiotua-G creates a number of WIndows Schedules Tasks to run itself at various times everyday.

W32/Tiotua-G changes settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page

The following registry entries are set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1

Registry entries are also set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoViewContextMenu
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoViewContextMenu
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ Hidden\SHOWALL
CheckedValue
0

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Tiotua-G

Summary

Action

More Information