Security software is disabled by the Pintae worm
The Pintae.A worm spreads through emails and network shares. The main danger is that it will disable security applications running on Windows.
The Pintae.A worm modifies the registry after creating several files. This makes the Task Manager and the registry editor inaccessible, among other things. It also changes the settings in Windows Explorer.
Pintae.A stops processes for various security software and forwards itself to email addresses collected from the Windows address book. The worm also tries to infect additional computers through network shares.
Pintae.A also creates a file that gathers a lot of system information. This stores, among other things, the computer name, user information, mail settings, and the time of infection.
When the Pintae.A worm starts, it performs the following actions:
1. Create the following files:
% UserProfile% \ Start Menu \ Programs \ Startup \ MSKernell.bat
% System% \ AutoRun.bat
% Windir% \ Exit to DosPrompt.pif
Readme.scr (in the root directory of drive C and D)
info.txt (in the root directory of drives C and D)
2. Load the following information into the info.txt file:
Username
Computer name
- POP3 server address
- SMTP information
- date and time of infection
3. The registration database
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentV ersion \ Run
adds to your key
“NOYPI_KANG_ASTIG” = “%Windows%\Exit to DosPrompt.pif”
“taetae” = “%Windows%\Exit to DosPrompt.pif” values.
4. The registration database
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentV ersion \ RunServices
adds to your key
“TANG_INA_MO” = “%System%\AutoRun.bat”
“taengtae” = “%System%\AutoRun.bat” values.
5. The registration database
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVe rsion \ Policies \ System
in the key changes the
“DisableTaskMgr” = “1”
“DisableRegistryTools” = “1” values.
6. The registration database
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVe rsion \ Policies \ Explorer
in the key changes the
“NoFolderOptions” = “1”
“NoFind” = “1” values.
7. The registration database
HKEY_CURRENT_USER \ Software \ Policies \ Microsoft \ Internet Explorer
in the key changes the
“Restrictions NoFindFiles” = “1”.
8. Collect email addresses from the Windows Address Book and forward them to them.
The subject of infected leaves may be:
CDO.Message
FILIPINO \\ ”S SECRETS
My Documents
New Virus Information
Philippines Government Top Secret
TaeTae Virus Information
The file name of the infected mail attachment can be:
DATA.DOC.exe
DOCUMENT.DOC.exe
INFO.DOC.exe
README.DOC.exe
TAETAE.TXT.exe
9. Stops the processes associated with the security software.
