Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 21 Dec 2006
Damage: Medium

Characteristics: The W32.Tanexor application can propagate through removable storage devices. It also unlocks a back door and downloads possibly malicious files on to the compromised computer.

More details about W32.Tanexor.A

Once the worm performs, it drops some files and then creates other files. The worm generates a service that has a service name of power1_k and a display name of Provisioning Service Transaction. Then it creates a subkey for the service created. Also the worm adds a value to the registry subkey. The worm attempts to download a file. It stops the AVP and wscsvc services. The worm also ends processes, where several of which may be security applications related. These processes are the RavmonD, Ravmon, kavsvc, and avp all having .exe extension. The worm opens a connection of a back door on the TCP port 8002 to power1k.3322.org address. It imports version information and also the description of the hardware to a distant user after that awaits commands.

The worm lets a remote attacker to execute the STOPATTACK, UPDATEDATA, DOWNLOAD, REMOVE and FLOOD (including the syn or get or udp or icmp) commands. It is recommended to separate the computers that were compromised quickly so it can avoid any threats from further spreading. Execute a forensic examination and then using the trusted media restores your computer. Remove the services that are unnecessary and turn it off. By the default, lots of operating systems install services that are auxiliary and are not dangerous. These services are avenues of the attack. Once these threats were being removed, these avenues of attack will be lessened.