How to Detect and Remove I-Worm.Tanatos.A/B Safely
What I-Worm.Tanatos.A/B is
I-Worm.Tanatos.A and I-Worm.Tanatos.B are variants of a Windows-targeting worm that spreads over networks and removable drives, may create persistence, modify system settings, and can drop additional malware. Treat infections seriously and act promptly.
Warning and preparatory steps
- Disconnect from networks: Unplug Ethernet and disable Wi‑Fi to prevent further spread.
- Work from a clean device: Use an uninfected computer or printed instructions for research.
- Back up important files safely: Copy critical personal files (documents, photos) to external media; do not back up executable files. Scan backups later before restoring.
- Have recovery tools ready: Prepare a reputable offline antivirus rescue USB, built-in Windows recovery tools, and a second clean computer for downloads.
Detection: signs of infection
- Unexplained network activity or slow network speeds.
- Unknown processes running, high CPU or disk usage.
- New or changed startup entries, scheduled tasks, or services.
- Strange files on removable drives or unexpected autorun files.
- Browser redirects, disabled security software, or missing files.
How to confirm infection
- Boot into Safe Mode with Networking (Windows): restart → hold Shift and select Restart → Troubleshoot → Advanced options → Startup Settings → Restart → choose Safe Mode with Networking.
- Run a full scan with an up‑to‑date antivirus or anti‑malware scanner (use a reputable vendor).
- Use a second on‑demand scanner (e.g., Malwarebytes) for a second opinion.
- Check for known indicators:
- Suspicious processes in Task Manager (unfamiliar names, high resource use).
- Startup entries: msconfig or Task Manager → Startup.
- Scheduled tasks: Task Scheduler library for unknown tasks.
- Autorun.inf files on removable drives.
- Upload suspicious files to a malware-scanning service (if safe and allowed) for analysis.
Removal: step-by-step
- Remain offline (keep network disabled).
- Boot into Safe Mode (see above).
- Kill malicious processes in Task Manager (note executable names and paths).
- Remove persistence:
- Delete unknown startup entries (Task Manager → Startup or msconfig).
- Remove suspicious scheduled tasks in Task Scheduler.
- Search and delete related services (sc query) and registry Run entries (regedit → HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU…\Run). Export registry keys before editing.
- Delete malicious files:
- Search common locations (C:\Users</span>\AppData\Local\, C:\Windows\Temp\, C:\ProgramData) for newly created or suspicious executables and delete them.
- Remove autorun.inf and unknown files from removable drives.
- Run full system scans with two reputable tools (one real‑time AV + one on‑demand scanner). Quarantine or remove detections.
- Use an offline rescue disk if the worm resists removal (create rescue USB from vendor on a clean PC, boot from it, and run a full scan).
- Clear temporary files and reset network settings:
- Run Disk Cleanup and delete temp folders.
- Reset Winsock and TCP/IP: open Command Prompt (admin) and run:
netsh winsock resetnetsh int ip resetipconfig /flushdns - Reboot normally and run another full scan.
Post‑removal recovery
- Change passwords from a clean device (especially online accounts).
- Restore backed-up personal files only after scanning them with updated antivirus.
- Enable system protection and create a fresh system restore point.
- Reconnect networks after confirming infection is removed.
If removal fails or for complex infections
- Consider professional help or reinstalling Windows (backup data first). For reinstall: perform a clean install, format system drive, then reinstall apps from trusted sources.
Prevention tips
- Keep Windows and applications up to date.
- Use reputable antivirus with real‑time protection and keep signatures updated.
- Disable autorun for removable media.
- Avoid running unknown attachments and do not execute files from untrusted drives.
- Use least‑privilege
Leave a Reply