The Net's Best Services, Programs, Software, and More!

Internet Security

W32 Titog C Worm Fixes

W32.Titog.C.Worm does the following:

Copies itself as:

%System%\nabv32.exe
%Mirc%\icq2004.exe

Worm Notes:

%System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

%mirc% is a variable. The worm locates the Mirc installation folder and copies itself to that location.

Worm Technicalities:

Creates the %System%\GotITFolder folder, and then makes many copies of itself in that folder as randomly chosen file names.

Adds the value:

"anbv32"="%system%\nabv32.exe"

to the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\RunServices

..so that it runs each time you start Windows.

Creates the file, Scri1.ini, in the mIRC folder. This is used to distribute the worm as icq2004.exe.

Sends email to all the addresses in the Microsoft Outlook Address Book

The message has the following characteristics:

Subject: Speed up your connection!
Message: Speed up your connection up to 2 times faster! windows xp/2000/9x

Attachment: t_dsl.exe

Tries to download some executable files from a Web site

Attempts to delete many files and registry values, including those associated with antivirus software. (A W32.Titog.Worm writeup will show a complete list of the files and registry values, which this worm targeted.)

All users and administrators should be encouraged to adhere to the following basic security procedures:

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.

If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.

Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

The following instructions pertain to current and recent antivirus and antispyware products.

Disable System Restore (Windows Me/XP).

Update the virus definitions.

Run a full system scan and delete all the files detected as W32.Titog.C.Worm.

Delete the value that was added to the registry.

For specific details, read the following.

Disabling System Restore (Windows Me/XP)

If you are running Windows Me or Windows XP, it's recommended that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Virus and/or spyware scans may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base articles.

Updating Virus Definitions

There are two ways to obtain the most recent virus definitions:

Run "Update" on your antivirus and/or spyware software, which is the easiest way to obtain virus definitions: These virus definitions are uasually posted to Update services on a regular schedule, unless there is a major virus outbreak.

Download the definitions using your provided Updater: The Updater virus definitions should download the definitions from the Security Systems Web site and manually install them.

Scan PC for and Deleting Infected Files

Start your antivirus and them spyware sanning programs and make sure that they are configured to scan all the files.

Run a full system scan.

If any files are detected as infected with W32.Titog.C.Worm, click Delete, or alter their name

Deleting from the Registry

WARNING: It is strongly recommended that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files.