W32/Tanx-A

Please follow the instructions for removing worms.

W32/Tanx-A is a worm that uses email to spread.

The worm arrives in a message with the following characteristics:
Subject line: ID <random characters>... thanks
Message text: Yours ID <random characters>
--
Thank
Attached file: <random_file_name>.exe

The address of the sender is spoofed.

When the attached infected file is run W32/Tanx-A copies itself into the Windows system folder as au.exe and changes creates the following registry entry so that the worm file is run during the Windows startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\au.exe
= <windows system folder>\au.exe

If the filename of the launched file is not au.exe the worm attempts to launch the Windows sound recorder application sndrec32.exe.

W32/Tanx-A searches all fixed drives recursively for files with the extension WAB, TXT, HTM and HTML. These files are searchedfor email addresses that are later used to fill in the sender and recipient fields of the email message.

W32/Tanx-A opens a TCP port 8866 and listens for connections. The backdoor may be used to update the worm file.

W32/Tanx-A will connect to the following websites and submit information about the listening port and the randomly generated infection ID:
www.47df.de
www.strato.de and
intern.games-ring.de

W32/Tanx-A uses the registry key HKCU\Software\Windows2000 to store some other data values (like the randomly created infection ID). The registry values used are gid and frn.

W32/Tanx-A will stop spreading after 25 February 2004.