Win32/Tulu.A

Discussion in 'malware problems & news' started by Technodrome, Dec 24, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Virus name: Win32/Tulu.A
    Virus type: worm
    Infected objects: SYSTEM
    Distribution: Less Likely
    Detection added: 2002-12-24
    Disinfection added: 2002-12-24
    Description:
    This is a simple worm that copies itself to the floppy drive every few minutes. When executed, it will first attempt to hide itself in the process list [by using an undocumented API which is implemented only in Windows9x - therefore, Tulu will not work on WindowsNT-based operating systems as Windows 2000 and Windows XP]. Next, for each removable drive, it will attempt to copy itself under one of the following names:

    "Notas.exe", "Trucos.exe", "Textos.exe", "Avisos.exe", "Demo.exe", "Datos.exe", "Documentos.exe", "Claves.exe", "Passwords.exe", "Juegos.exe", "Nora.exe", "Trabajos.exe", "Escuela.exe", "Reportes.exe", "Informes.exe", "Codigos.exe", "Porno.exe", "Chistes.exe", "Oficios.exe", "Ktulu.exe"...

    http://www.rav.ro/virus/showvirus.php?v=152



    Technodrome
     
  2. GlennO

    GlennO Registered Member

    Joined:
    Jul 29, 2003
    Posts:
    5
    Location:
    Ocean View, Hawaii
    Re:Tulu

    I'm not sure if what I encountered today is a variant of Win32/Tulu.A, or something new...

    My computer started to freeze up with the blue screen of death. After a number of reboots, I finally decided to replace the SD-RAM. The crashes continued. Finally, I ran the AVG Anti-Virus program by Grisoft. If found and "healed" the "Worm/Tulu.DOC."

    The freeze ups/crashes stopped immediately. I tried to find more information regarding this particular worm, but only found one single reference to it on the Internet. This posting was made by an admitted computer novice who was also using AVG.

    Next, I specifically searched the sites of Norton, McAfee, Trend Micro and AVG... None of them made any mention of Worm/Tulu.DOC. When AVG found it in my c:\program files\norton system works folder, I clicked on "more info" only to learn than none was available.

    It seems strange that a worm which seemingly locked up my computer would not be documented somewhere on the Internet, especially at the aforementioned sites. Only Symantec mentioned Win32/Tulu...

    Has anyone else caught a glimpse of this one?

    As my email is hidden from view, please contact me at:
    g3po2 at yahoo
     
Thread Status:
Not open for further replies.