Aliases: Worm.Win32.Randon.u
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 28 Jul 2003
Damage: High

Characteristics: The W32.Tzet.Worm application spreads through attacking computers with feeble administrator passwords or feeble passwords of default accounts such as guest.

More details about W32.Tzet.Worm

When the W32.Tzet.Worm was executed it consists of an archive that is self-extracting. There are various files that were dropped on victim machine. wsubsys.wav is an IRC script that is Trojanized and has 575 bytes It was detected as the W32.Tzet.worm with the DATs that was specified. The wmpt.exe is an application to launch a processes remote and is detected as the REmoteProcessLaunch application with the DATs 4252 or higher. It has 575 bytes. The vidriv.exe has 24,064 bytes. This is a tool used for hiding the application that is running and it is detected as HideWindow application with 4241 DATs or even greater. The printf_core.exe has 20,480 bytes. This application is for deleting the shares from the detected machine as Delshare application with the specified DATs.

The W32.Tzet.Worm uses a mIRC client that is trojanized coupled with a batch and an IRC scripts so that it infects and propagate between the machines. Once the machine was performed, the worm tries to access to the server of the IRC remote so that it will notify the infection hacker. Once it was connected, the worm can perceive remote commands through the IRC. The functionality launches DOS attack on the machine that is remote. It retrieves the information of the key about variety of games. It retrieves the information about the victim machine. Also it scans the remote machine so it can propagate to.