Content
W32/Tumbi.worm.gen.b
- Type
- Virus
- SubType
- Generic Worm
- Discovery Date
- 02/24/2004
- Length
- Varies
- Minimum DAT
- 4328 (02/25/2004)
- Updated DAT
- 4787 (06/19/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 04/26/2004
- Description Modified
- 05/20/2004 4:58 PM (PT)
Tab Navigation
Characteristics
This description is intended as a general guide. There are several variants of this trojan, and the specific actions taken are decided by the hacker who creates or uses the trojan.
This is a worm that exploits the MS03-026 vulnerability and the MS00-078 vulnerability. The worm has backdoor and password stealing capabilities.
When run, it creates the following registry key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Microsoft IIS" = "syshost.exe"
It drops a dll file lol.dll in the current directory. lol.dll is a Windows hook dll that can capture windows text and keystrokes.
The worm attempts to exploit vulnerabilities mentioned above to infect other machines by scanning random ip addresses.
The worm connects to a specific IRC server on port 6669 waiting for remote IRC commands. It can perform various backdoor activities, such as:
- Download and execute files.
- Perform Denial of Service attacks.
- Capture banking information.
- IP scanning.
Symptoms
Existence of the files detailed above
Unexpected traffic to remote server (destination port 6669 - IRC)
Method of Infection
The worm spreads by exploiting vulnerabilities in Microsoft Windows.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- Francette_based (Norman)
- W32.Francette.Worm (Symantec)
- Win32.Tumbi (CA)
- Worm.Win32.Francette (AVP)
- WORM_FRANCETTE (Trend)
Characteristics
Characteristics -
This description is intended as a general guide. There are several variants of this trojan, and the specific actions taken are decided by the hacker who creates or uses the trojan.
This is a worm that exploits the MS03-026 vulnerability and the MS00-078 vulnerability. The worm has backdoor and password stealing capabilities.
When run, it creates the following registry key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Microsoft IIS" = "syshost.exe"
It drops a dll file lol.dll in the current directory. lol.dll is a Windows hook dll that can capture windows text and keystrokes.
The worm attempts to exploit vulnerabilities mentioned above to infect other machines by scanning random ip addresses.
The worm connects to a specific IRC server on port 6669 waiting for remote IRC commands. It can perform various backdoor activities, such as:
- Download and execute files.
- Perform Denial of Service attacks.
- Capture banking information.
- IP scanning.
Symptoms
Symptoms -
Existence of the files detailed above
Unexpected traffic to remote server (destination port 6669 - IRC)
Method of Infection
Method of Infection -
The worm spreads by exploiting vulnerabilities in Microsoft Windows.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
