Content

W32/Tzet.worm

Type
Virus
SubType
Internet Worm
Discovery Date
07/28/2003
Length
788,177 bytes (SFX)
Minimum DAT
4283 (08/06/2003)
Updated DAT
4376 (07/14/2004)
Minimum Engine
5.1.00
Description Added
07/30/2003
Description Modified
08/01/2003 2:11 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for an IRC-based worm capable of spreading to poorly secured remote shares.

Some components of this threat are already detected by McAfee products. For example, the trojanised mIRC client (which forms the hub of operations) is detected as IRC/Flood.bq with the 4253 DATs or greater. See details below for further details.

The worm consists of a self-extracting archive. When executed, various files are dropped on the victim machine. For example:

  • IGLXTRAY.EXE (532,992 bytes). This is a trojanised mIRC client, which forms the hub of operations. It is detected as IRC/Flood.bq since 4253 DATs.
  • IGLMTRAY.EXE (10,752 bytes) Loader utility - detected as W32/Tzet.worm with specified DATs.
  • authexec.bat (6,411 bytes). Batch script for attempting to connect to shares on remote machines (weak passwords/accounts). Detected as W32/Tzet.worm with specified DATs.
  • lrss.ini (5,411 bytes). Trojanised IRC script. Detected as W32/Tzet.worm with specified DATs.
  • mdde32.exe (39,424 bytes). Application for killing processes, detected as application PSKill with the specified DATs.
  • nna.exe (1,312 bytes) Downloader trojan, detected as Downloader-AE with the 4262 DATs or greater (with 4.2.40 or greater engine).
  • printf_core.exe (20,480 bytes). Application for deleting shares from a machine. Detected as application Delshare with specified DATs.
  • vidriv.exe (24,064 bytes). Tool for hiding running applications, detected as application HideWindow with the 4241 DATs or greater (with 4.2.40 or greater engine).
  • wmpt.exe (52,224 bytes). Application to launch remote processes, detected as application RemoteProcessLaunch with 4252 DATs or greater.
  • wsubsys.wav (62,282 bytes). Trojanised IRC script. Detected as W32/Tzet.worm with specified DATs.
  • xcopy.dll (575 bytes)

Dropped into:

c:\WINNT\SYSTEM32\

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WUPD" = C:\WINNT\system32\iglmtray.exe

Symptoms

  • existence of the files detailed above.
  • unexpected traffic (IRC) to remote servers (destination port 7648)

Method of Infection

The worm uses a trojanised mIRC client coupled with batch and IRC scripts in order to infect and spread between machines.

Once executed on a machine, the worm attempts to connect to a remote IRC server in order to notify the hacker of the infection. Once connected, the worm can receive remote commands via IRC. Such functionality includes:

  • launch DoS attack on remote machine
  • retrieve key information concerning various games
  • retrieve information concerning victim machine
  • scan for remote machines to spread to

Share propagation relies upon poorly secured shares. The worm attempts to connect to remote shares (using AUTHEXEC.BAT script) using the following username/passwords:

Password User
(blank) Administrador
(blank) Administrateur
(blank) Administrator
(blank) admin
(blank) administrador
(blank) administrator
(blank) administrator
(blank) administrator
(blank) cs
(blank) guest
(blank) root
(blank) server
(blank) test
(blank) user
(blank) wwwroot
1 Administrator
1 administrator
123 Administrator
123 admin
123 administrator
12345 Administrator
12345 admin
12345 administrator
123456 administrator
54321 administrator
654321 administrator
Admin admin
Administrador administrador
Administrator administrator
abc administrator
abc123 administrator
admin Administrator
admin admin
admin administrator
admin123 administrator
administrador administrador
administrator administrator
asdf administrator
changeme administrator
database database
guest guest
network network
pass administrator
password Administrador
password Administrateur
password Administrator
password administrador
password administrateur
password administrator
password123 administrator
qwerty administrator
qwertyuiop administrator
red123 administrator
root root
secret administrator
server server
sql sql
sqladmin sqladmin
sqlagent sqlagent
student student
teacher teacher
temp administrator
temp123 administrator
test test
test123 administrator
user user
wwwadmin wwwadmin

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Worm.Win32.Randon.u (AVP)

Characteristics

Characteristics -

This detection is for an IRC-based worm capable of spreading to poorly secured remote shares.

Some components of this threat are already detected by McAfee products. For example, the trojanised mIRC client (which forms the hub of operations) is detected as IRC/Flood.bq with the 4253 DATs or greater. See details below for further details.

The worm consists of a self-extracting archive. When executed, various files are dropped on the victim machine. For example:

  • IGLXTRAY.EXE (532,992 bytes). This is a trojanised mIRC client, which forms the hub of operations. It is detected as IRC/Flood.bq since 4253 DATs.
  • IGLMTRAY.EXE (10,752 bytes) Loader utility - detected as W32/Tzet.worm with specified DATs.
  • authexec.bat (6,411 bytes). Batch script for attempting to connect to shares on remote machines (weak passwords/accounts). Detected as W32/Tzet.worm with specified DATs.
  • lrss.ini (5,411 bytes). Trojanised IRC script. Detected as W32/Tzet.worm with specified DATs.
  • mdde32.exe (39,424 bytes). Application for killing processes, detected as application PSKill with the specified DATs.
  • nna.exe (1,312 bytes) Downloader trojan, detected as Downloader-AE with the 4262 DATs or greater (with 4.2.40 or greater engine).
  • printf_core.exe (20,480 bytes). Application for deleting shares from a machine. Detected as application Delshare with specified DATs.
  • vidriv.exe (24,064 bytes). Tool for hiding running applications, detected as application HideWindow with the 4241 DATs or greater (with 4.2.40 or greater engine).
  • wmpt.exe (52,224 bytes). Application to launch remote processes, detected as application RemoteProcessLaunch with 4252 DATs or greater.
  • wsubsys.wav (62,282 bytes). Trojanised IRC script. Detected as W32/Tzet.worm with specified DATs.
  • xcopy.dll (575 bytes)

Dropped into:

c:\WINNT\SYSTEM32\

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WUPD" = C:\WINNT\system32\iglmtray.exe

Symptoms

Symptoms -

  • existence of the files detailed above.
  • unexpected traffic (IRC) to remote servers (destination port 7648)

Method of Infection

Method of Infection -

The worm uses a trojanised mIRC client coupled with batch and IRC scripts in order to infect and spread between machines.

Once executed on a machine, the worm attempts to connect to a remote IRC server in order to notify the hacker of the infection. Once connected, the worm can receive remote commands via IRC. Such functionality includes:

  • launch DoS attack on remote machine
  • retrieve key information concerning various games
  • retrieve information concerning victim machine
  • scan for remote machines to spread to

Share propagation relies upon poorly secured shares. The worm attempts to connect to remote shares (using AUTHEXEC.BAT script) using the following username/passwords:

Password User
(blank) Administrador
(blank) Administrateur
(blank) Administrator
(blank) admin
(blank) administrador
(blank) administrator
(blank) administrator
(blank) administrator
(blank) cs
(blank) guest
(blank) root
(blank) server
(blank) test
(blank) user
(blank) wwwroot
1 Administrator
1 administrator
123 Administrator
123 admin
123 administrator
12345 Administrator
12345 admin
12345 administrator
123456 administrator
54321 administrator
654321 administrator
Admin admin
Administrador administrador
Administrator administrator
abc administrator
abc123 administrator
admin Administrator
admin admin
admin administrator
admin123 administrator
administrador administrador
administrator administrator
asdf administrator
changeme administrator
database database
guest guest
network network
pass administrator
password Administrador
password Administrateur
password Administrator
password administrador
password administrateur
password administrator
password123 administrator
qwerty administrator
qwertyuiop administrator
red123 administrator
root root
secret administrator
server server
sql sql
sqladmin sqladmin
sqlagent sqlagent
student student
teacher teacher
temp administrator
temp123 administrator
test test
test123 administrator
user user
wwwadmin wwwadmin

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A