McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Tanger (AVP)

• W32.HLLW.Tang@mm (NAV)

• W32/Gant@MM

Characteristics

This worm attempts to propagate via three channels: mass-mailing itself to recipients listed in the Outlook Address Book, via IRC, and via P2P file-sharing networks.

When first run, a fake error message is displayed ("not a valid win32 application"). After clicking on "ok", the worm proceeds to mail itself to everyone in the Windows Address Book. The attachment name used is taken from the the list of names below:

• EmailFix.exe
• Mp3Connect.exe
• Hilarious.scr
• EmailGen.exe
• PswdCrack.exe
• EmailHacker.exe

Outgoing messages will be formatted with the following subjects and message bodies:

Subject: Important Notice
Hello readers, A few days ago the Microsoft Network Email System automatically deleted my email account. This happened because there is a bug in the Microsoft Network Email System that may unintentionally remove email accounts without prompting. I have included a patch with this email that will fix the bug on un-patched computers. If you need help installing this file, read attached help file. Thanks.

Subject: Mp3 sites
Hello, Try this new software that can download practically any .mp3 file that is found on the internet. I use this program all the time and I think it's great! Have fun!

Subject: A ScreenSaver
Hello everyone, I found a really funny ScreenSaver on the net yesterday and I think that you would find it funny like I did :) It's in the attachments. Cya!

Subject: Email spoofer
Hello all, Take a look at this email spoofer that I have included in the attachments. An email spoofer is a program that lets you email from anyone@anything.com! it's really fun to use for pranks :)

Subject: Password Cracker
Hello Everyone, I have a cool Password Cracker for you in the attachments :) this Password Cracker can crack almost any password out there! Try it for yorself!

Subject: Hotmail passwords
Hello Readers, Have you tried to crack a Hotmail password ... and failed? Try the 'Hotmail Password Cracker' program that I have included in the attachments. Happy hacking!

The worm also attempts to spread through file-sharing networks by copying itself into the folders typically configured for sharing. The file-sharing applications targetted are:

• LimeWire
• Gnucleus
• Shareaza
• Kazaa
• Kazaa Lite
• BearShare
• Edonkey2000
• Morpheus
• Grokster
• ICQ

In order to spread through the IRC network, the worm modifies the SCRIPT.INI file used by the mIRC client. The modified script is detected by McAfee products (using the 4164 DATs or greater) as MIRC/Generic.

The worm also drops a macro component MSTngmgr32.ocx in the C:\Windows directory. It overwrites the Word template normal.dot with an infected copy of 133,632 bytes. It also adds an infected Excel template called Personal.xls in the XLStart directory.

The component MSTngmgr32.ocx is detected as VBA/Generic.src and the infected Word and Excel templates that are dropped are detected as W97M/Generc.src and X97M/Generic respectively. They are detected by Mcafee products using DATs 4072 and later.

Symptoms

The worm drops multiple copies of itself in the Windows directory. Below are some of the names it uses:

• Keymapp32.exe
• Msdnssrv.exe
• Msnetwrk32.exe
• Msostart32.exe
• Msregmc32.exe
• Msscndsk.exe
• Mwintype.exe
• Notice.tng
• PswdCrack.exe
• Unicode32.scr
• Hilarious.scr
• Windns32.exe
• Wncnet32.exe
• Wnetcon32.exe

It also copies multiple copies of itself into the C:\WINDOWS\SYSTEM directory. Below are some of the names it uses:

• OMServ32.exe
• Re-inst32.scr
• Unitxt32.exe
• Wincmndr.exe
• Winlnkmgr.exe
• Cmdinst32.exe Mscabdrv.exe
• MsTng32.exe
• Mswpdmgr.exe
• Netwc32.exe

The worm also modifies the Registry to execute itself at startup:

The following Registry key is also added:

The worm also modifies all MS-DOS batch files in the computer to execute the worm each time the batch file is run. The following line is added at the end of each batch file:

@if exist C:\WINDOWS\SYSTEM\MSTng32.exe @win C:\WINDOWS\ SYSTEM\MSTng32.exe

For the macro component of this worm, the existence of the file MSTngmgr32.ocx in the directory C:\WINDOWS. The following key is also added into the registry to indicate that the macro component has been activated.

HKEY_CURRENT_USER\Software\Zed/[rRlf]\W32\TaNG\Macro "Installed" = 1

Method of Infection

Infection occurs upon executing the worm, which may arrive as an email attachment, via a file-sharing network, or via IRC.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Tanger (AVP)

• W32.HLLW.Tang@mm (NAV)

• W32/Gant@MM

Characteristics

Characteristics -

This worm attempts to propagate via three channels: mass-mailing itself to recipients listed in the Outlook Address Book, via IRC, and via P2P file-sharing networks.

When first run, a fake error message is displayed ("not a valid win32 application"). After clicking on "ok", the worm proceeds to mail itself to everyone in the Windows Address Book. The attachment name used is taken from the the list of names below:

• EmailFix.exe
• Mp3Connect.exe
• Hilarious.scr
• EmailGen.exe
• PswdCrack.exe
• EmailHacker.exe

Outgoing messages will be formatted with the following subjects and message bodies:

Subject: Important Notice
Hello readers, A few days ago the Microsoft Network Email System automatically deleted my email account. This happened because there is a bug in the Microsoft Network Email System that may unintentionally remove email accounts without prompting. I have included a patch with this email that will fix the bug on un-patched computers. If you need help installing this file, read attached help file. Thanks.

Subject: Mp3 sites
Hello, Try this new software that can download practically any .mp3 file that is found on the internet. I use this program all the time and I think it's great! Have fun!

Subject: A ScreenSaver
Hello everyone, I found a really funny ScreenSaver on the net yesterday and I think that you would find it funny like I did :) It's in the attachments. Cya!

Subject: Email spoofer
Hello all, Take a look at this email spoofer that I have included in the attachments. An email spoofer is a program that lets you email from anyone@anything.com! it's really fun to use for pranks :)

Subject: Password Cracker
Hello Everyone, I have a cool Password Cracker for you in the attachments :) this Password Cracker can crack almost any password out there! Try it for yorself!

Subject: Hotmail passwords
Hello Readers, Have you tried to crack a Hotmail password ... and failed? Try the 'Hotmail Password Cracker' program that I have included in the attachments. Happy hacking!

The worm also attempts to spread through file-sharing networks by copying itself into the folders typically configured for sharing. The file-sharing applications targetted are:

• LimeWire
• Gnucleus
• Shareaza
• Kazaa
• Kazaa Lite
• BearShare
• Edonkey2000
• Morpheus
• Grokster
• ICQ

In order to spread through the IRC network, the worm modifies the SCRIPT.INI file used by the mIRC client. The modified script is detected by McAfee products (using the 4164 DATs or greater) as MIRC/Generic.

The worm also drops a macro component MSTngmgr32.ocx in the C:\Windows directory. It overwrites the Word template normal.dot with an infected copy of 133,632 bytes. It also adds an infected Excel template called Personal.xls in the XLStart directory.

The component MSTngmgr32.ocx is detected as VBA/Generic.src and the infected Word and Excel templates that are dropped are detected as W97M/Generc.src and X97M/Generic respectively. They are detected by Mcafee products using DATs 4072 and later.

Symptoms

Symptoms -

The worm drops multiple copies of itself in the Windows directory. Below are some of the names it uses:

• Keymapp32.exe
• Msdnssrv.exe
• Msnetwrk32.exe
• Msostart32.exe
• Msregmc32.exe
• Msscndsk.exe
• Mwintype.exe
• Notice.tng
• PswdCrack.exe
• Unicode32.scr
• Hilarious.scr
• Windns32.exe
• Wncnet32.exe
• Wnetcon32.exe

It also copies multiple copies of itself into the C:\WINDOWS\SYSTEM directory. Below are some of the names it uses:

• OMServ32.exe
• Re-inst32.scr
• Unitxt32.exe
• Wincmndr.exe
• Winlnkmgr.exe
• Cmdinst32.exe Mscabdrv.exe
• MsTng32.exe
• Mswpdmgr.exe
• Netwc32.exe

The worm also modifies the Registry to execute itself at startup:

The following Registry key is also added:

The worm also modifies all MS-DOS batch files in the computer to execute the worm each time the batch file is run. The following line is added at the end of each batch file:

@if exist C:\WINDOWS\SYSTEM\MSTng32.exe @win C:\WINDOWS\ SYSTEM\MSTng32.exe

For the macro component of this worm, the existence of the file MSTngmgr32.ocx in the directory C:\WINDOWS. The following key is also added into the registry to indicate that the macro component has been activated.

HKEY_CURRENT_USER\Software\Zed/[rRlf]\W32\TaNG\Macro "Installed" = 1

Method of Infection

Method of Infection -

Infection occurs upon executing the worm, which may arrive as an email attachment, via a file-sharing network, or via IRC.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A