Home / malwarePDF  

Worm:VBS/Tibni.A


First posted on 01 September 2015.
Source: Microsoft

Aliases :

There are no other names known for Worm:VBS/Tibni.A.

Explanation :

Threat behavior

Installation

This threat creates the following shortcuts on your desktop that loads your browser and opens http://www.bahaty.com/red/g.php:

  • %desktop%\Internet Explorer.lnk
  • %desktop%\Opera.lnk
  • %desktop%\Mozilla Firefox.lnk
  • %desktop%\Safari.lnk
  • %desktop%\Google Chrome.lnk


These shortcuts are also placed in the Quick Launch folder which is typically in %APPDATA%\Microsoft\Internet Explorer\Quick Launch.

The worm then makes copies of the following files to the corresponding location:



File



Location



bin.doc



D:\bin.doc



bizo.mp3



D:\system



img.jpg



D:\AUTOEXE



Nouveau Dossier.lnk



D:\Nouveau Dossier.lnk



Photo0.jpg



D:\NTDETE



pict.jpg



D:\boot



Zain



D:\{username}



Zain



D:\Zain



These files are also copied from drive E: to G: to spread to other drives:



Location



File



D:\AUTOEXE



{drive}:\img.jpg



D:\bin.doc



{drive}:\bin.doc



D:\boot



{drive}:\pict.jpg



D:\NTDETE



{drive}:\Photo0.jpg



D:\system



{drive}:\bizo.mp3



D:\Zain



{drive}:\& {username} &.lnk



D:\Zain



{drive}:\Nouveau Dossier.lnk



D:\Zain



{drive}:\Zain



For the threat to load at start up, it creates the following shortcut:

  • \Start.lnk


The shortcut link runs wscript.exe /e:VBScript.Encode D:\bin.doc.

It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: bintin
With data: C:\WINDOWS\system32\wscript.exe /e:VBScript.Encode D:\bin.doc

The purpose of running D:\bin.doc acts as a loader for the following files if it is found in the system:

  • D:\AUTOEXE
  • D:\boot
  • D:\NTDETE


Spreads through

Removable drives

This worm spreads through removable storage drives, such as USB flash drives.

Payload

The threat downloads the file micropro.exe from ftp.bahaty.com.



Analysis by Allan Sepillo

Symptoms

The following can indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:
    • In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: bintin
      With data: C:\WINDOWS\system32\wscript.exe /e:VBScript.Encode D:\bin.doc

  • You see files similar to:
    • bin.doc
    • bizo.mp3
    • img.jpg
    • Nouveau Dossier.lnk
    • Photo0.jpg
    • pict.jpg
    • Zain




Last update 01 September 2015

 

TOP

Malware :

Family: