When W32.Tulu is executed, it attempts to copy itself as
%windir% is C:\Windows or C:\Winnt
%system% is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Virus add the value:
to the registry key
so that the worm runs each time that you start Windows.
Also creates the registry key
This key is used by the macro component of the virus.
The virus next attempts to locate the Microsoft Word global template, Normal.dot.
If the virus finds the file, it infects the file with a macro virus. The only purpose of the macro virus is to execute the W32.Tulu virus.
The virus now stays memory resident. Every few minutes, it attempts to copy itself to drive A.
How to delete this virus:
1. Run a full system scan whit your antivirus tools.
If any files are detected as infected with W32.Tulu, click Delete.
For example, Symantec antivirus products detect this macro component as W97M.Tulu.
If any files are detected as infected with W97M.Tulu, click Repair.
2. Delete the value "shell" from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run