W32/Tompai-A

Please follow the instructions for removing infected executable files.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cmpnt

and remove any reference to any file you deleted.

Close the registry editor.

W32/Tompai-A is a virus with backdoor functionality for the Windows platform, which spreads via network shares.

The virus creates three copies of itself in the Windows system folder. One copy is named mainsv.exe. The others are randomly chosen from the following pairs of names:

loadms.exe & loadmsnt.exe
cmpku.exe & cmpkunt.exe
netcompt.exe & netcomptnt.exe
ptsnopt.exe & ptsnoptnt.exe
ntdllf.exe & ntdllfnt.exe

The virus also infects exe files on the local hard disk and creates copies of itself with the following names:

the_matrix.scr
mario_2.pif
matrix_desktop.pif
mp3_convert.pif
Zsnes_win.pif
VRMLpad_crack.pif
matrix3Dsetup.pif
Dx_ball2_Setup.pif
Crack_tools.exe

In order to ensure that the virus is run each time Windows starts W32/Tompai-A adds the registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cmpnt.

The backdoor functionality of the virus allows a remote attacker access to the infected computer.

Hidden inside the worm is a piece of text which does not get displayed:

phantompain