W32.Titog.C.Worm


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 12 Sep 2003
Damage: Medium

Characteristics: The W32.Titog.C application utilizes IRC and Microsoft Outlook to propagate itself. The systems affected include Windows 95, Windows 2000, Windows Me, Windows 98, Windows Server 2003, Windows NT, and Windows XP.

More details about W32.Titog.C.Worm

Once the W32.Titog.C.Worm was executed, it replicates itself being the %Mirc%icq2004.exe and the %System% abv32.exe. These are variables. The worm finds the folder of the System and then replicates itself to found location. This is the C:WindowsSystem ( Windows Me, Windows 98, Windows 95), C:WinntSystem32 (Windows 2000 and Windows NT), or C:WindowsSystem32 (only the Windows XP). The %mirc% is also a variable. The W32.Titog.C.Worm searches for the installation folder of the Mirc and replicates itself to that found location. The worm generates %System%GotITFolder folder then creates multiple of duplicates of itself in the same folder as chosen names of files at random. It also adds value to the key of the registry so in case the windows will start the virus will run at the same time.

The W32.Titog.C.Worm generates the file called Scri1.ini in the folder of the mIRC. This is done to distribute itself as icq2004 having .exe extension. The worm sends an email to all of the addresses found in the Address Book of the Microsoft Outlook. The message has a Subject of ‘Speed up your connection!’, with a message of ‘Speed up your connection up to 2 times faster! windows xp/2000/9x’, and has an attachment ‘t_dsl.exe’. The worm also attempts to download executable files that can be found from web sites. It also tries to delete values in the registry and also some files, included are the files associated with the antispyware software.