Files that are detected as Packed.Win32.Tibs.gu have similar functionality to Email-Worm.Win32.Zhelatin variants.
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
Upon execution, the following are the changes made to the system:
It creates the following files:
It sets the values below:
A text file, disnisa.config, is dropped which contains a possible lists of clients for the worm's peer-to-peer network. The details for the peer names and access ports are encoded.Another noticeable characteristic for this malware is that it tries to connect to a good number of predefined IP addresses using User Datagram Protocol (UDP).Furthermore, the files that are detected as Packed.Win32.Tibs.gu are usually downloaded as the result of clicking links from heavily spammed e-mails and websites.