|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Packed:W32/Tibs.AB
|
|
|
| Radar |
 |
|
|
|
Summary
|
| Packed.Win32.Tibs.ab has rootkit functionality and it mass mails itself. This malware uses peer to peer networks (P2P) to spread. It also has the same functionality with Worm Zhelatin variants. |
|
|
|
Detailed Description
|
Files that are detected as Packed.Win32.Tibs.ab have similar functionality to Email-Worm.Win32.Zhelatin variants.
On execution, the following are the changes made to the system:
File System Changes
Creates these files:
- %windir%\system32\windev-[random_numbers].sys
- %windir%\system32\windev-peers.ini
Registry Modifications
Sets these values:
- HKLM\System\CurrentControlSet\Services\windev-[random_numbers]
ImagePath = %systemdir%\windev-[random_numbers].sys
Note: %systemdir% is usually C:\Windows\system32.
Stealth Features
Hides these files:
- %windir%\system32\windev-peers.ini
- %windir%\system32\windev-[random_numbers].sys
The installed component has rootkit functionality that can enable its process to be hidden from unsuspecting users.
A text file is also dropped which contains a possible lists of clients for the worm's peer-to-peer network. The details for the peer names and access ports are encoded. Example of the text file:
- [config]
[local]
[peers]
61CBE5C404F4C715C809A8588F42950C=9A2542751EBF00
61CBE5C4CB3D735B77590054E92865F3=9A2542BB1EBF00
8024083AF066B98A86BF0B0BF1135EF7=55198859159800
80A32744A44A3359F3F4B39D19E8E32B=53258C841C4400
Another noticeable characteristic for this malware is that it tries to connect to a good number of predefined IP addresses using UDP.
Furthermore, the files that are detected as Packed.Win32.Tibs.ab are usually downloaded as the result of clicking links from heavily spammed e-mails such as those that we detect as HTML/Postcards.N@troj.
|
|
|
|
Detection
|
F-Secure Anti-Virus detects this malware with the following updates: [FSAV_Database_Version] Version = 2007-05-27_04.
|
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: July 10, 2007
|
|
|
|
|
