RAR files are infected by the Tigape worm
Tigape, which spreads through emails. The worm primarily tries to hide behind RAR files and disarms the security software of infected computers.
Tigape.A worm spreads primarily through emails. The required e-mail addresses are collected from the Windows address book. The worm creates a number of files on available local and network drives and most of the time disguises itself as .rar files.
The biggest threat to the Tigape.A worm is to disable security software running on infected computers, including antivirus applications and firewalls. The worm does not spare Windows' built-in firewall, because it also tries to turn it off by modifying the registry.
When the Tigape.A worm starts, it performs the following actions:
1. Create a file as follows:
% System% \ wservice.exe
2. Copies itself to all available local and network drives. The worm uses a “.t” extension and a file name of eight characters.
3. Create a rar file with file names of seven randomly generated characters on each available local or network drive.
4. Create the following file:
% CurrentFolder% \ [seven random characters] .exe
5. The registration database
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentV ersion \ Run
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVe rsion \ Run
adds to your keys
“UpdateService” = “%System%\wservice.exe…” value.
6. The registration database
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ S haredAccess
adds to your key
“Start” = value “4”.
This disables the built-in Windows Firewall.
7. Collect email addresses from the Windows Address Book and forward them to them.
The subject of infected leaves may be:
White house news!
URG
ATTEN TO EVERYBODY!
READ AND RESEND ASAP!
Incredible news!
NEWS!
ATTN
URGENT NEWS!
Attached emails can have one of the following files attached:
open.exe
truth.exe
war.exe
last.exe
about me.exe
a.exe
never.exe
latest news.exe
read me.exe
8. Stops the processes associated with the security software.
