|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Packed:W32/Tibs.GU
|
|
|
| Radar |
 |
|
|
|
Summary
|
| Files that are detected as Packed.Win32.Tibs.gu have similar functionality to Email-Worm.Win32.Zhelatin variants. |
|
|
|
Detailed Description
|
Upon execution, the following are the changes made to the system:
File System Changes
It creates the following files:
- %windir%\disnisa.exe
- %windir%\disnisa.config
Registry Modifications
It sets the values below:
- HKLU\Software\Microsoft\Windows\CurrentVersion\Run
disnisa = C:\WINDOWS\disnisa.exe - HKLM\System\CurrentControlSet\Services\W32Time\Parameters
NtpServer = time.windows.com,time.nist.gov - HKLM\System\CurrentControlSet\Services\W32Time\Parameters
Type = NTP - HKLM\Software\Microsoft\Tracing\FWCFG
EnableFileTracing = 00000000 - HKLM\Software\Microsoft\Tracing\FWCFG
EnableConsoleTracing = 00000000 - HKLM\Software\Microsoft\Tracing\FWCFG
FileTracingMask = FFFF0000 - HKLM\Software\Microsoft\Tracing\FWCFG
ConsoleTracingMask = FFFF0000 - HKLM\Software\Microsoft\Tracing\FWCFG
MaxFileSize = 00100000 - HKLM\Software\Microsoft\Tracing\FWCFG
FileDirectory = %windir%\tracing - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\WINDOWS\disnisa.exe = C:\WINDOWS\disinia.exe:*:Enabled:enable
A text file, disnisa.config, is dropped which contains a possible lists of clients for the worm's peer-to-peer network. The details for the peer names and access ports are encoded.
Another noticeable characteristic for this malware is that it tries to connect to a good number of predefined IP addresses using User Datagram Protocol (UDP).
Furthermore, the files that are detected as Packed.Win32.Tibs.gu are usually downloaded as the result of clicking links from heavily spammed e-mails and websites. |
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: December 26, 2007
|
|
|
|
|
