WORM_TENDOOLF.A

Malware type: Worm

Aliases: Backdoor.Win32.Tendoolf.c (Kaspersky), W32/Floodnet@MM (McAfee), W32.Tendoolf (Symantec), BDS/Delf.BD.Srv (Avira), Mal/Generic-A (Sophos), Backdoor:Win32/Tendoolf (Microsoft)

In the wild: No

Destructive: No

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Description: 
This Internet worm propagates via Microsoft Outlook, AOL Instant Messenger, and MSN Messenger. It uses Microsoft Outlook to send emails with a copy of itself as an attachment, CUTE.EXE, to all email addresses listed in the infected user's address book. It propagates via AOL Instant Messenger and MSN Messenger by sending a copy of itself to all recipients listed in the infected user's contact list.

It also modifies the registry and system files so that it executes upon Windows startup.

For additional information about this threat, see:

Description created: Jan. 23, 2002 6:12:33 PM GMT -0800
Description updated: May. 3, 2002 4:25:49 AM GMT -0800


TECHNICAL DETAILS


Size of malware: UPX compressed=235,520 Bytes
Uncompressed=615,936 Bytes

Initial samples received on: Jan 22, 2002

Payload 1: (sends itself in an attachment called CUTE.EXE)

Details:
This Internet worm was written in Borland/Delphi. Upon execution, it copies itself to a KERNEL.32.EXE file in the /%Windows%/ folder and then modifies the registry as follows so that its copy executes upon Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
�Windows� �C:\Windows\Kernel32.exe�

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
�Windows� �C:\Windows\Kernel32.exe�

It modifies the load= line under the [windows] section of the WIN.INI file:
load C:\Windows\Kernel32.exe

It modifies the shell= line under the [boot] section of the SYSTEM.INI file:
shell C:\Windows\Kernel32.exe

The worm uses Microsoft Outlook to send emails with a copy of itself as an attachment, CUTE.EXE, to all email addresses listed in the infected user's address book.

It propagates via AOL Instant Messenger and MSN Messenger by sending a copy of itself to all recipients listed in the infected user's contact list.

The following text strings are found in the worm code:

Thoughts� I just found this program, and, I don�t know why� but it reminded me of you. Check it out.


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 1.208.00

Pattern release date: Jan 22, 2002


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

  1. Click Start>Run, type REGEDIT then hit the Enter key.
  2. Double click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Window
    >Current Version>Run
  3. In the right panel, right-click this registry value and delete it:
    �Windows� �C:\Windows\Kernel32.exe�
  4. In the left panel , double click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows
    > Current Version>RunServices
  5. In the right panel, right-click this registry value and delete it:
    �Windows� �C:\Windows\Kernel32.exe�
  6. Exit the Registry.
  7. Restore your system files. Click Start>Run, type Sysedit then hit the Enter key.
  8. Edit WIN.INI and under the [windows] section, delete this entry after the "load=": C:\Windows\Kernel32.exe
  9. Edit SYSTEM.INI and under the [boot] section, delete this entry after the "shell=." Note that this line contains �explorer.exe,� which should not be deleted:
    C:\Windows\Kernel32.exe
  10. Scan your system with Trend Micro antivirus and delete all files detected as WORM_TENDOOLF.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.



Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.