F-Secure
Tools
Trojan-Downloader:W32/Tibs.VX
Summary
This malware downloads files into the system and executes them.
Details
File System Changes
Creates these files:
- %temp%\1.dflb
- %temp%\2.dflb
- %temp%\3.dflb
- %temp%\4.dflb
- %temp%\5.dflb
- %temp%\6.dflb
- %temp%\7.dflb
- %windir%\system32\dflgh8jkd2q1.exe
- %windir%\system32\dflgh8jkd2q2.exe
- %windir%\system32\dflgh8jkd2q5.exe
- %windir%\system32\dflgh8jkd2q6.exe
- %windir%\system32\dflgh8jkd2q7.exe
- %windir%\system32\dflgh8jkd2q8.exe
- %windir%\system32\vx.tll
- %windir%\system32\winds32.exe
Network Connections
Attempts to download files from:
http://pluscount.net/[...]/search.jpg
http://pluscount.net/[...]/winlogon.jpg
http://pluscount.net/[...]/tibs.jpg
http://pluscount.net/[...]/null.jpg
http://pluscount.net/[...]/tool.jpg
http://pluscount.net/[...]/proxy.jpg
Registry Modifications
Sets these values:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System32 = C:\WINDOWS\system32\winds32.exe - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr = 00000001
Additional Details
Tibs.VX executes netsh.exe, a Windows command line utility, in order to allow the malware to bypass the Windows Firewall.
It sends the following system information to http://pluscount.net:
Files Created
The downloaded files are detected as Trojan:W32/Tibs.NO, Trojan:W32/Tibs.NS, Trojan:W32/Tibs.NQ, Trojan:W32/Tibs.NR, Trojan:W32/Tibs.NP.
The file called winds32.exe is a copy of original sample. The file called vx.tll is a 1 byte file.
Temporary placeholders for the downloaded files:
Network
Tibs.VX attempts to download files from:
These URLs contain valid JPEG files with the malware code appended on them. The malware code is hidden via an XOR operation.
It sends the following system information to http://pluscount.net:
- Platform
- Service Pack and Version
Files Created
- %windir%\system32\winds32.exe
- %windir%\system32\dflgh8jkd2q1.exe
- %windir%\system32\dflgh8jkd2q2.exe
- %windir%\system32\dflgh8jkd2q5.exe
- %windir%\system32\dflgh8jkd2q6.exe
- %windir%\system32\dflgh8jkd2q7.exe
- %windir%\system32\dflgh8jkd2q8.exe
- %windir%\system32\vx.tll
The downloaded files are detected as Trojan:W32/Tibs.NO, Trojan:W32/Tibs.NS, Trojan:W32/Tibs.NQ, Trojan:W32/Tibs.NR, Trojan:W32/Tibs.NP.
The file called winds32.exe is a copy of original sample. The file called vx.tll is a 1 byte file.
Temporary placeholders for the downloaded files:
- %temp%\1.dflb
- %temp%\2.dflb
- %temp%\3.dflb
- %temp%\4.dflb
- %temp%\5.dflb
- %temp%\6.dflb
- %temp%\7.dflb
Network
Tibs.VX attempts to download files from:
- http://pluscount.net/[...]/search.jpg
- http://pluscount.net/[...]/winlogon.jpg
- http://pluscount.net/[...]/tibs.jpg
- http://pluscount.net/[...]/null.jpg
- http://pluscount.net/[...]/tool.jpg
- http://pluscount.net/[...]/proxy.jpg
These URLs contain valid JPEG files with the malware code appended on them. The malware code is hidden via an XOR operation.