Files that are detected as Packed.Win32.Tibs.gu have similar functionality to Email-Worm.Win32.Zhelatin variants.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Upon execution, the following are the changes made to the system:
File System Changes
It creates the following files:
It sets the values below:
- HKLU\Software\Microsoft\Windows\CurrentVersion\Run disnisa = C:\WINDOWS\disnisa.exe
- HKLM\System\CurrentControlSet\Services\W32Time\Parameters NtpServer = time.windows.com,time.nist.gov
- HKLM\System\CurrentControlSet\Services\W32Time\Parameters Type = NTP
- HKLM\Software\Microsoft\Tracing\FWCFG EnableFileTracing = 00000000
- HKLM\Software\Microsoft\Tracing\FWCFG EnableConsoleTracing = 00000000
- HKLM\Software\Microsoft\Tracing\FWCFG FileTracingMask = FFFF0000
- HKLM\Software\Microsoft\Tracing\FWCFG ConsoleTracingMask = FFFF0000
- HKLM\Software\Microsoft\Tracing\FWCFG MaxFileSize = 00100000
- HKLM\Software\Microsoft\Tracing\FWCFG FileDirectory = %windir%\tracing
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\WINDOWS\disnisa.exe = C:\WINDOWS\disinia.exe:*:Enabled:enable
A text file, disnisa.config, is dropped which contains a possible lists of clients for the worm's peer-to-peer network. The details for the peer names and access ports are encoded.Another noticeable characteristic for this malware is that it tries to connect to a good number of predefined IP addresses using User Datagram Protocol (UDP).Furthermore, the files that are detected as Packed.Win32.Tibs.gu are usually downloaded as the result of clicking links from heavily spammed e-mails and websites.