Support Downloads
support Threat Info Center
Sybari Virus Alert
W32/Tpbot-A 17-Aug-2005
Aliases:  W32.Zotob.E (Symantec), WORM_RBOT.CBQ (Trend), Net_Worm.Win32.Bozori.A (Kaspersky)
Description

W32/Tpbot-A is a network worm with backdoor Trojan functionality for the Windows platform.

When run, W32/Tpbot-A copies itself to the Windows system folder as wintbp.exe and creates the following registry entry in order to run each time a user logs on:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wintbp.exe
"wintbp.exe"

W32/Tpbot-A spreads using a variety of techniques including the exploitation of operating system vulnerabilities such as LSASS (MS04-011) and PnP (MS05-039).

The backdoor component connects to an IRC server and joins a predetermined channel where it then awaits commands from attackers.

W32/Tpbot-A may attempt to download and execute additional files.

Scan Engine Version
Computer Associates
Kaspersky Labs 2005081614
Network Associates 2005081602
Norman Data Defense 2005081701
Sophos 2005081606
VirusBusters
Command 2005081703
AhnLab 2005081603