The Tanatos.b Internet worm spreads via e-mail as a file attachment. The e-mail message itself can have various subjects, message texts, and file attachment names. Infection occurs when the file attachment harboring the malicious code is activated, once this happens the spreading routine is begun. There are several ways to launch the hazardous file: via the IFRAME breech in the Internet Explorer security system (which starts the worm upon message opening), manually when a user opens the infected file attachment or through local area networks.
When installing, Tanatos.b copies itself under random file names into the Windows registry auto-run keys, creates files in the Windows system directory as well as copies itself into the Windows directory and temp files directory.
Next the worm starts its spreading routine using the built-in SMTP engine. To send itself out via e-mail, Tanatos.b looks for e-mail addresses by scanning the available drives for files with the following extensions: *.ODS, *.INBOX, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX.
Tanatos.b has several dangerous functions. It infects the executable files in the Windows operation system. In the list of objects infected by Tanatos.b there are executable files from many other popular programs including: Outlook Express, Internet Explorer, WinZip, the KaZaA file sharing system, ICQ and MSN Messenger.
Additionally, the new version of Tanatos has the ability to function as a backdoor program, allowing the virus's creator to control infected machines and gain access to confidential information. To accomplish this, the worm opens port 1080, through which it can do the following:
* Transfer hard drive data
* Copy, open and delete files
* Inform about active applications and to close them
* Load files from remote computers and send keyboard log reports to the virus author
* Setup an http server
The first version of the Tanatos Internet worm was detected in September 2002. At that time Tanatos caused a huge number of infections the world over. The worm combined the functionality of an Internet worm with that of a Trojan program, making it an exceptionally dangerous program capable of leaking out confidential information.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.