Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:I-Worm.Tanger (AVP), W32.HLLW.Tang@mm (NAV), W32/Gant@MM, W32/Gant.gen@MM
Type:Worm 
Size:21, 504 Bytes (UPX) 
Origin: 
Date:00-00-0000 
Damage:Spreads by email and shared networks. 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:Low 

DistributionThe worm tries to spread by email, IRC and over P2P shared networks. It collects email addresses from Windows Address Book. The email sent by the worm contains:

Subject:
Important Notice
Mp3 sites
A ScreenSaver
Email spoofer
Password Cracker
Hotmail passwords

Body:

Hello readers,
A few days ago the Microsoft Network Email System automatically deleted my email account. This happened because there is a bug in the Microsoft Network Email System that may unintentionally remove email accounts without prompting. I have included a patch with this email that will fix the bug on un-patched computers. If you need help installing this file, read attached help file.
Thanks.

Hello,
Try this new software that can download practically any .mp3 file that is found on the internet. I use this program all the time and I think it's great! Have fun!

Hello everyone,
I found a really funny ScreenSaver on the net yesterday and I think that you would find it funny like I did :) It's in the attachments. Cya!

Hello all,
Take a look at this email spoofer that I have included in the attachments. An email spoofer is a program that lets you email from anyone@anything.com! it's really fun to use for pranks :)

Hello Everyone,
I have a cool Password Cracker for you in the attachments :) this Password Cracker can crack almost any password out there! Try it for yorself!

Hello Readers,
Have you tried to crack a Hotmail password ... and failed? Try the 'Hotmail Password Cracker' program that I have included in the attachments. Happy hacking!

Attachment:
EmailFix.exe
Mp3Connect.exe
Hilarious.scr
EmailGen.exe
PswdCrack.exe
EmailHacker.exe

The worm also tries to spread over shared applications. It uses:
LimeWire
Gnucleus
Shareaza
Kazaa
Kazaa Lite
BearShare
Edonkey2000
Morpheus
Grokster
ICQ

If the worm spreads over IRC, it uses the file SCRIPT.INI of the mIRC Client.

Technical DetailsWorm/Outsider creates multiple copies in Windows directory. These are some of the names it uses:
Keymapp32.exe
Msdnssrv.exe
Msnetwrk32.exe
Msostart32.exe
Msregmc32.exe
Msscndsk.exe
Mwintype.exe
Notice.tng
PswdCrack.exe
Unicode32.scr
Hilarious.scr
Windns32.exe
Wncnet32.exe
Wnetcon32.exe


It also creates worm copies in C:\%WINDIR%\%SYSTEMDIR%, with the following names:
OMServ32.exe
Re-inst32.scr
Unitxt32.exe
Wincmndr.exe
Winlnkmgr.exe
Cmdinst32.exe Mscabdrv.exe
MsTng32.exe
Mswpdmgr.exe
Netwc32.exe

The worm also modifies the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Mstng32" = C:\%WinDIR%\%SystemDIR%\Mstng32.exe (for autostart).
And it makes the registry entry:
HKEY_LOCAL_MACHINE\Software\Zed/[rRlf]

The worm also modifies all MS-DOS batch files on the computer, so that every time a batch file is opened, the worm is activated. The following lines are inserted:
@if exist C:\%WinDIR%\%SystemDIR%\MSTng32.exe
@win C:\%WinDIR%\%SystemDIR%\MSTng32.exe

For the macro component of the worm, there is a file named MSTngmgr32.ocx in C:\%WinDIR% directory. The following registry entry refers to the macro component's activity:
HKEY_CURRENT_USER\Software\Zed/[rRlf]\W32\TaNG\Macro "Installed" = 1
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .