Win32/Tauro [Threat Name] go to Threat

Win32/Tauro.B [Threat Variant Name]

Category worm
Size 16384 B
Aliases Email-Worm.Win32.Tauro.b (Kaspersky)
  W32.Tauro (Symantec)
Short description

Win32/Tauro.B is a worm that spreads via e-mail. The worm tries to copy itself to shared network folders and available FTP servers, too. The file is run-time compressed using UPX . The worm terminates specific running processes.

Installation

When executed, the worm copies itself into the

  • %windir%

folder using the following name:

  • Monitor.exe

The following file is dropped in the same folder:

  • Casabona.ita

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "windows" = "%windir%\­Monitor.exe"

The worm copies itself into the root folders of fixed and/or removable drives using the following names:

  • WINDOWSUPDATE.exe
  • AUTOCAD.exe
  • QUAKE4.exe
Spreading via e-mail

The worm gathers e-mail addresses for further spreading from the e-mails stored locally.


Subject of the message is the following:

  • Important security hole!

Body of the message is the following:

  • A new security hole has been found in Windows(R) systems, so you should install the patch attached at this message

The attachment is an executable of the worm.


The name of the attached file is following:

  • UPDATE.exe
Spreading via shared folders

The worm tries to copy itself to the available shared network folders. The worm generates various IP addresses. The following filename is used:

  • UPDATE.exe

The following names of the shared network folders are used:

  • c$
  • d$
  • Admin$
  • c
  • d

The following usernames are used:

  • Guest
  • Administrator
  • Owner

The worm uses empty string as a password.


The worm tries to copy itself to the available FTP servers.


The worm generates various IP addresses.


The following filename is used:

  • Mirc7.exe

The following usernames are used:

  • anonymous
  • root
  • guest
  • 0000
  • 0001
  • administrator
  • Cyber

The following passwords are used:

  • 9999
  • COMMAND
  • Billy@microsoft.com
  • Linus
  • Funky
  • 1234
  • 4321
  • 1111
  • server
Other information

The worm may display the following message:

  • I am with you!!!...by WarGame

The worm may terminate specific running processes.


It avoids those with any of the following strings in their names:

  • explorer
  • rundll

The worm changes the window title of all running applications to the following text:

  • Do you like your life?????...I l0ve r00t!!!...WarGame

Please enable Javascript to ensure correct displaying of this content and refresh this page.