Win32/Tuwuky [Threat Name] go to Threat
Win32/Tuwuky.A [Threat Variant Name]
| Category | worm |
| Size | 141824 B |
| Detection created | Jun 01, 2011 |
| Detection database version | 10205 |
| Aliases | VirTool:Win32/Injector.BZ (Microsoft) |
| Win32:Zbot-NDX (Avast) |
Short description
Win32/Tuwuky.A is a worm that spreads via IM and social networks.
Installation
When executed the worm copies itself in the following locations:
- %localappdata%\%variable%.exe
- %startup%\%variable%.exe
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable%" = "%localappdata%\%variable%.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable%" = "%localappdata%\%variable%.exe"
A string with variable content is used instead of %variable% .
Information stealing
The worm collects the following information:
- operating system version
- computer name
- network parameters
- installed software
The worm attempts to send gathered information to a remote machine.
Spreading
Win32/Tuwuky.A is a worm that spreads via IM and social networks.
The worm sends links to Facebook, MSN users.
Other information
The worm acquires data and commands from a remote computer or the Internet.
The worm contains a list of addresses. The IRC protocol is used in the communication.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- uninstall itself
- spread via IM networks
- change the home page of web browser
The worm may create the following files:
- %temp%\rmme%variable%.bat
- %temp%\eraseme_%variable%.exe
- %temp%\ageofempires_%variable%.exe
The worm may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\twk70]
- "n" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- "Start Page" = "%variable%"
A string with variable content is used instead of %variable% .
The worm executes the following command:
- netsh firewall add allowedprogram 1.exe 1 ENABLE
The performed command creates an exception in the Windows Firewall.