You're in: Panda Security > Home Users > security-info > overview
Active Scan. Scan your PC free
Download Cloud Antivirus Gratis

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Twittworm.A

Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Twittworm.A carries out the following actions:

  • When it is run, it connects to the following websites from which it downloads a copy of itself:
    http://img049.dlimak.info:89/img049/3741/%random-name%.zip
    http://1.img-myce.info/net/%random-name%.zip
  • It prevents users from accessing websites related to computer security companies and searchers.
  • It disables the following options:
    - Starting the computer in Safe mode. Usually the malware which is in execution in the normal mode is not run in this mode.
    - System restore utility, which is used to undo changes in the system and recover previously created restore points.
  • It hides the files and folders with hidden attributes, in order to make its detection more difficult.

Infection strategy 

Twittworm.A creates the file in the Windows system directory. This file is a copy of the worm.

Additionally, it creates an AUTORUN.INF file in the removable drives. This way, the copy of the worm is automatically run when any of them is accessed.

 

On the other hand, Twittworm.A modifies the HOSTS file so that the user cannot access certain websites, most of them related to computer security companies and searchers.

 

Twittworm.A creates the following entries in the Windows Registry, in order to be automatically run whenever Windows is started:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
    Debugger = wmitcod.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    ctfmon.exe = ctfmon.exe

 

Twittworm.A modifies the following Windows Registry entry, in order to prevent the system to be restored:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
    DisableConfig = 00, 00, 00, 00

    It changes this entry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
    DisableConfig = 01, 00, 00, 00

Twittworm.A modifies the following Windows Registry entries, in order to disable the notifications displayed by the Windows antivirus and firewall:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    AntiVirusDisableNotify = 00, 00, 00, 00

    It changes this entry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    AntiVirusDisableNotify = 01, 00, 00, 00
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    FirewallDisableNotify = 00, 00, 00, 00

    It changes this entry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    FirewallDisableNotify = 01, 00, 00, 00
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    FirewallOverride = 00, 00, 00, 00

    It changes this entry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    FirewallOverride = 01, 00, 00, 00

Additionally, it modifies the following entries from the Windows Registry, in order to make its detection more difficult:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    Hidden = 01, 00, 00, 00

    It changes this entry to:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    Hidden = 02, 00, 00, 00

    It hides the files and folders with hidden attributes.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced\ Folder\ SuperHidden
    CheckedValue = 00, 00, 00, 00

    It changes this entry to:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced\ Folder\ SuperHidden
    CheckedValue = 01, 00, 00, 00

    It hides the hidden files of system.

 

On the other hand, Twittworm.A deletes all the Windows Registry entries related to starting the computer in Safe Mode, in order to make its elimination more difficult.

Means of transmission 

Twittworm.A uses the following means to spread:

1.- Social networks and instant messaging programs

It uses social networks like Twitter, and instant messaging programs like MSN Messenger to infect users. In order to do so, it sends messages which contain a link or an attached file belonging to the worm.

The following are some examples:

  • Can you believe I'm going here over summer break? Just look at the pic.
  • Check this out! This pic is really creepy, but I can't stop staring.
  • Do you think I should get my eyebrow pierced? Here is what it will look like.
  • Do you think it would be ok if I edited you into this picture with me?
  • Does this picture remind you of anyone? I bet it will when you see it. :P
  • Ha-Ha this photo is soo hilarious. You've got to see it IMMEDIATELY!
  • Ha-Ha this pic is soo funny. Take a look if you dare.
  • Have you seen the pic I'm thinking about setting as my default? Does it look good?
  • I just found the best picture of us from I've ever seen. Check it out right away!
  • I just got a piercing and you'll never guess where! Take a look at the photo. ;)
  • I just got my hair cut. Do you think it looks good?
  • Should this photo be my default? Or do I look bad in it?
  • Someone tagged you in this pic. You need to see it right away.
  • Tell me what you think of this pic as soon as you get the chance.
  • Tell me what you think of this pic. You are going to laugh so hard.
  • This is the sexiest photo I've ever seen! You need to take a look at it.
  • This would be a PERFECT background for your computer, here it is.
  • We got some bunnies, they are soo CUTE!!! Look at the photo!
  • You’re going to be mad at me for sending you this photo, but you NEED to see it :3

 

2.- Removable drives

It spreads trough removable drives making copies of itself in them. Additionally, it creates an AUTORUN.INF file in these drives, so that the copy of the worm is automatically run when they are accessed.

Further Details  

Twittworm.A is 221,184 bytes in size.

Technical Support

Panda Quick Start

Panda Quick Start

Let our experts install, activate, configure and customize your Panda's antivirus solution.
[+] info

Panda Remote Virus & Spyware Removal

Servicio de Asistencia de Desinfección

Let our experts access remotely to your PC, scan it and remove all viruses and spyware detected.
[+] info