You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

Twittworm.A
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

Twittworm.A carries out the following actions:

When it is run, it connects to the following websites from which it downloads a copy of itself:
http://img049.dlima<blocked>k.info:89/img049/3741/%random-name%.zip
http://1.img-my<blocked>ce.info/net/%random-name%.zip
It prevents users from accessing websites related to computer security companies and searchers.
It disables the following options:
- Starting the computer in Safe mode. Usually the malware which is in execution in the normal mode is not run in this mode.
- System restore utility, which is used to undo changes in the system and recover previously created restore points.
It hides the files and folders with hidden attributes, in order to make its detection more difficult.

Infection strategy

Twittworm.A creates the file in the Windows system directory. This file is a copy of the worm.

Additionally, it creates an AUTORUN.INF file in the removable drives. This way, the copy of the worm is automatically run when any of them is accessed.

On the other hand, Twittworm.A modifies the HOSTS file so that the user cannot access certain websites, most of them related to computer security companies and searchers.

Twittworm.A creates the following entries in the Windows Registry, in order to be automatically run whenever Windows is started:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
Debugger = wmitcod.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = ctfmon.exe

Twittworm.A modifies the following Windows Registry entry, in order to prevent the system to be restored:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig = 00, 00, 00, 00
It changes this entry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig = 01, 00, 00, 00

Twittworm.A modifies the following Windows Registry entries, in order to disable the notifications displayed by the Windows antivirus and firewall:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify = 00, 00, 00, 00
It changes this entry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify = 00, 00, 00, 00
It changes this entry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallOverride = 00, 00, 00, 00
It changes this entry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallOverride = 01, 00, 00, 00

Additionally, it modifies the following entries from the Windows Registry, in order to make its detection more difficult:

HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
Hidden = 01, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
Hidden = 02, 00, 00, 00
It hides the files and folders with hidden attributes.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced\ Folder\ SuperHidden
CheckedValue = 00, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced\ Folder\ SuperHidden
CheckedValue = 01, 00, 00, 00
It hides the hidden files of system.

On the other hand, Twittworm.A deletes all the Windows Registry entries related to starting the computer in Safe Mode, in order to make its elimination more difficult.

Means of transmission

Twittworm.A uses the following means to spread:

1.- Social networks and instant messaging programs

It uses social networks like Twitter, and instant messaging programs like MSN Messenger to infect users. In order to do so, it sends messages which contain a link or an attached file belonging to the worm.

The following are some examples:

Can you believe I'm going here over summer break? Just look at the pic.
Check this out! This pic is really creepy, but I can't stop staring.
Do you think I should get my eyebrow pierced? Here is what it will look like.
Do you think it would be ok if I edited you into this picture with me?
Does this picture remind you of anyone? I bet it will when you see it. :P
Ha-Ha this photo is soo hilarious. You've got to see it IMMEDIATELY!
Ha-Ha this pic is soo funny. Take a look if you dare.
Have you seen the pic I'm thinking about setting as my default? Does it look good?
I just found the best picture of us from I've ever seen. Check it out right away!
I just got a piercing and you'll never guess where! Take a look at the photo. ;)
I just got my hair cut. Do you think it looks good?
Should this photo be my default? Or do I look bad in it?
Someone tagged you in this pic. You need to see it right away.
Tell me what you think of this pic as soon as you get the chance.
Tell me what you think of this pic. You are going to laugh so hard.
This is the sexiest photo I've ever seen! You need to take a look at it.
This would be a PERFECT background for your computer, here it is.
We got some bunnies, they are soo CUTE!!! Look at the photo!
You’re going to be mad at me for sending you this photo, but you NEED to see it :3

2.- Removable drives

It spreads trough removable drives making copies of itself in them. Additionally, it creates an AUTORUN.INF file in these drives, so that the copy of the worm is automatically run when they are accessed.

Further Details

Twittworm.A is 221,184 bytes in size.

Panda Security. New Lineup 2012. Renew now

Antivirus Solutions

Technical Support