Threat Description

Packed: ​W32/Tibs.GU


Category: Malware
Type: Email-Worm
Platform: W32
Aliases: Packed:​W32/Tibs.GU


Files that are detected as have similar functionality to Email-Worm.Win32.Zhelatin variants.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Upon execution, the following are the changes made to the system:

File System Changes

It creates the following files:

  • %windir%\disnisa.exe
  • %windir%\disnisa.config
Registry Modifications

It sets the values below:

  • HKLU\Software\Microsoft\Windows\CurrentVersion\Run disnisa = C:\WINDOWS\disnisa.exe
  • HKLM\System\CurrentControlSet\Services\W32Time\Parameters NtpServer =,
  • HKLM\System\CurrentControlSet\Services\W32Time\Parameters Type = NTP
  • HKLM\Software\Microsoft\Tracing\FWCFG EnableFileTracing = 00000000
  • HKLM\Software\Microsoft\Tracing\FWCFG EnableConsoleTracing = 00000000
  • HKLM\Software\Microsoft\Tracing\FWCFG FileTracingMask = FFFF0000
  • HKLM\Software\Microsoft\Tracing\FWCFG ConsoleTracingMask = FFFF0000
  • HKLM\Software\Microsoft\Tracing\FWCFG MaxFileSize = 00100000
  • HKLM\Software\Microsoft\Tracing\FWCFG FileDirectory = %windir%\tracing
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\WINDOWS\disnisa.exe = C:\WINDOWS\disinia.exe:*:Enabled:enable

A text file, disnisa.config, is dropped which contains a possible lists of clients for the worm's peer-to-peer network. The details for the peer names and access ports are encoded.Another noticeable characteristic for this malware is that it tries to connect to a good number of predefined IP addresses using User Datagram Protocol (UDP).Furthermore, the files that are detected as are usually downloaded as the result of clicking links from heavily spammed e-mails and websites.


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More