Worm:W32/Tyhos regularly checks for any removable devices connected to the system; if found, the worm copies itself to the removable drive.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
Worm:W32/Tyhos spreads via infected removable drives; once present on a machine, it checks the system for any connected removable drives every 10555 milliseconds. If found, it copies itself to the removable drive.
The worm file itself is packed using the F[ast] S[mall] G[ood] packer.
The details below are based on analysis of the following sample: SHA1: 21ae5cf02ba792d902efb7cbc9a115769c878337.
On execution, the worm creates copies of itself in the following locations:
The copied files have their properties set to hidden. The worm also adds registry keys for both files, so that they run automatically whenever the system is started:
It also drops an HTML page to:
And creates the following mutexes:
Once the files are dropped, the isass.exe file is launched by shellexecute and checks whether a file named ghosty.d is present in the SystemRoot folder. It also opens the dropped index.html file:
index.html file displayed by Worm:W32/Tyhos
Date Created: -
Date Last Modified: -