Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Trojan-Downloader:W32/Tibs.VX
[Summary] | [Details] | [Additional Details]

Name : Trojan-Downloader:W32/Tibs.VX
Detection Names : Trojan-Downloader.Win32.Agent.ajbg
Trojan-Downloader:W32/Tibs.VX
Aliases : TrojanDownloader:Win32/Tibs (Microsoft)
Size:14336
Type:Trojan-Downloader
Category:Malware
Platform:W32
Date of Discovery:October 08, 2008
Radar

Summary
This malware downloads files into the system and executes them.
Back to the Top

Details


File System Changes
Creates these files:

  • %temp%\1.dflb
  • %temp%\2.dflb
  • %temp%\3.dflb
  • %temp%\4.dflb
  • %temp%\5.dflb
  • %temp%\6.dflb
  • %temp%\7.dflb
  • %windir%\system32\dflgh8jkd2q1.exe
  • %windir%\system32\dflgh8jkd2q2.exe
  • %windir%\system32\dflgh8jkd2q5.exe
  • %windir%\system32\dflgh8jkd2q6.exe
  • %windir%\system32\dflgh8jkd2q7.exe
  • %windir%\system32\dflgh8jkd2q8.exe
  • %windir%\system32\vx.tll
  • %windir%\system32\winds32.exe



Network Connections
Attempts to download files from:

http://pluscount.net/[...]/search.jpg
http://pluscount.net/[...]/winlogon.jpg
http://pluscount.net/[...]/tibs.jpg
http://pluscount.net/[...]/null.jpg
http://pluscount.net/[...]/tool.jpg
http://pluscount.net/[...]/proxy.jpg


Registry Modifications
Sets these values:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    System32 = C:\WINDOWS\system32\winds32.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableTaskMgr = 00000001
Back to the Top

Additional Details
Tibs.VX executes netsh.exe, a Windows command line utility, in order to allow the malware to bypass the Windows Firewall.

It sends the following system information to http://pluscount.net:

  • Platform
  • Service Pack and Version

Files Created

  • %windir%\system32\winds32.exe
  • %windir%\system32\dflgh8jkd2q1.exe
  • %windir%\system32\dflgh8jkd2q2.exe
  • %windir%\system32\dflgh8jkd2q5.exe
  • %windir%\system32\dflgh8jkd2q6.exe
  • %windir%\system32\dflgh8jkd2q7.exe
  • %windir%\system32\dflgh8jkd2q8.exe
  • %windir%\system32\vx.tll

The downloaded files are detected as Trojan:W32/Tibs.NO, Trojan:W32/Tibs.NS, Trojan:W32/Tibs.NQ, Trojan:W32/Tibs.NR, Trojan:W32/Tibs.NP.

The file called winds32.exe is a copy of original sample. The file called vx.tll is a 1 byte file.

Temporary placeholders for the downloaded files:

  • %temp%\1.dflb
  • %temp%\2.dflb
  • %temp%\3.dflb
  • %temp%\4.dflb
  • %temp%\5.dflb
  • %temp%\6.dflb
  • %temp%\7.dflb

Network

Tibs.VX attempts to download files from:

  • http://pluscount.net/[...]/search.jpg
  • http://pluscount.net/[...]/winlogon.jpg
  • http://pluscount.net/[...]/tibs.jpg
  • http://pluscount.net/[...]/null.jpg
  • http://pluscount.net/[...]/tool.jpg
  • http://pluscount.net/[...]/proxy.jpg

These URLs contain valid JPEG files with the malware code appended on them. The malware code is hidden via an XOR operation.
Back to the Top



F-Secure Corporation

Last Modified: October 09, 2008