W32/Tilebot-JY is a network worm with backdoor functionality for the Windows platform.

W32/Tilebot-JY spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007). The worm may also spreads via network shares protected by weak passwords.

W32/Tilebot-JY runs continuously in the background, providing a backdoor server that allows a remote intruder to gain access and control over the computer via IRC channels.


W32/Tilebot-JY includes functionality to:

  • set up an FTP server
  • set up a proxy server
  • steal information in the Protected Storage Area
  • set or remove network shares
  • port scanning
  • packet sniffing
  • start a remote shell (RLOGIN)
  • access the internet and communicate with a remote server via HTTP
  • harvest information from clipboard
  • take part in Distributed Denial of Service (DDoS) attacks

    More information can be found at this Sophos page.