Effects
TellSky.A carries out the following actions:
- It ends the processes containing any of these text strings, if the are in execution:
Avast
Avg
Bitdefender
cmd
F-Secure
Kaspersky
Mcafee
msconfig
Nod32
Panda
Security
Sophos
Symantec
task
ZYYd
These processes belong to antivirus programs and system applications. - It prevents the following applications from being run:
- Windows Registry Editor
- Task Manager
- Command Shell (CMD) - It deletes the following functions:
- Log off
- Folder Options from the Windows Explorer
- Search from the Windows Explorer
- Run from the Start menu
- System restore - It changes the Internet Explorer window title to @Annew Forever Love@.
- It displays the following message when it is run:
Infection strategy
TellSky.A creates the following files:
- MSNMSGR.EXE in the Windows system directory.
- MSDOS.PIF in the Windows directory.
These two files are copies of the worm.
Additionally, it creates the file AUTORUN.INF in the root directory of the different system drives.
TellSky.A creates the following entries in the Windows Registry:
- HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
MsnMsgr = %sysdir%\msnmsgr.exe
where %sysdir% is the Windows system directory. - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
MsnMsgr = %sysdir%\msnmsgr.exe
By creating these entries, TellSky.A ensures that it is run whenever Windows is started. - HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main
Window Title = @Annew Forever Love@
TellSky.A changes the Internet Explorer window title. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFind = 01, 00, 00, 00
By creating this entry, TellSky.A deletes the button Search from the Windows Explorer. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFolderOptions = 01, 00, 00, 00
By creating this entry, TellSky.A disables the function Folder options from the Windows Explorer. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoLogoff = 01, 00, 00, 00
TellSky.A deletes the button Log off of Windows. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
Norun = 01, 00, 00, 00
TellSky.A the button Run of Windows. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableCMD = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ System
DisableCMD = 01, 00, 00, 00
By creating these entries, TellSky.A disables the Command shell (CMD) of Windows. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableRegistryTools = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ System
DisableRegistryTools = 01, 00, 00, 00
By creating these entries, TellSky.A disables the Windows Registry Editor. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableTaskMgr = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ System
DisableTaskMgr = 01, 00, 00, 00
TellSky.A disables the Task Manager. - HKEY_LOCAL_MACHINE\ SOFTWARE\ Policies\ Microsoft\ Windows NT\ SystemRestore
DisableConfig = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\ SOFTWARE\ Policies\ Microsoft\ Windows NT\ SystemRestore
DisableSR = 01, 00, 00, 00
By creating these entries, TellSky.A disables the option System Restore. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoSetFolders = 01, 00, 00, 00
TellSky.A modifies the following entries in the Windows Registry:
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
Shell = Explorer.exe
It changes this entry to:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
Shell = Explorer.exe %windir%\msdos.pif
where %windir% is the Windows directory.
By modifying this entry, TellSky.A ensures that it is run whenever Windows is started. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
Hidden = 01, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
Hidden = 00, 00, 00, 00
This way, TellSky.A hides the system files. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
HideFileExt = 00, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
HideFileExt = 01, 00, 00, 00
By modifying this entry, TellSky.A hides the extension of the copies of itself. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
ShowSuperHidden = 01, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
ShowSuperHidden = 00, 00, 00, 00
It hides the files protected by the operating system.
Means of transmission
TellSky.A spreads by copying itself in the root directory of the mapped drives under any of the following names:
ANNEW.EXE
AVAST.EXE
BOOKS.EXE
DATA.EXE
DESKTOP.EXE
DOCUMENTS AND SETTINGS.EXE
DOWNLOAD.EXE
DOWNLOADS.EXE
FONTS.EXE
GAME.EXE
GIRL.EXE
MCAFEE.EXE
MICROSOFT.EXE
MY DOCUMENTS.EXE
MY PICTURES.EXE
NEW FOLDER.EXE
PANDA.EXE
PHOTOSHOP.EXE
PROGRAM FILES.EXE
SAVE.EXE
SEX.EXE
SHOW TIME.EXE
SHOW.EXE
SONGS.EXE
SYMANTEC.EXE
WINDOW.EXE
WINDOWS.EXE
By using the file AUTORUN.INF, mentioned in the section Means of Infection, each time the users access any of the system drives, TellSky.A is run.
However, due to an error generating this file, this action does not work.
Further Details
TellSky.A is written in the programming language Delphi. This worm is 229,888 bytes in size.