Name :	Packed:W32/Tibs.AB
Category:	Malware
Type:	Email-Worm
Platform:	W32
Date of Discovery:	July 07, 2007

Packed.Win32.Tibs.ab has rootkit functionality and it mass mails itself. This malware uses peer to peer networks (P2P) to spread. It also has the same functionality with Worm Zhelatin variants.

Files that are detected as Packed.Win32.Tibs.ab have similar functionality to Email-Worm.Win32.Zhelatin variants.

On execution, the following are the changes made to the system:

File System Changes

Creates these files:


Registry Modifications

Sets these values:


Note: %systemdir% is usually C:\Windows\system32.

Stealth Features

Hides these files:


The installed component has rootkit functionality that can enable its process to be hidden from unsuspecting users.
A text file is also dropped which contains a possible lists of clients for the worm's peer-to-peer network. The details for the peer names and access ports are encoded. Example of the text file:


Another noticeable characteristic for this malware is that it tries to connect to a good number of predefined IP addresses using UDP.

Furthermore, the files that are detected as Packed.Win32.Tibs.ab are usually downloaded as the result of clicking links from heavily spammed e-mails such as those that we detect as HTML/Postcards.N@troj.