Home / malware Trojan-Downloader:W32/Tibs.VX
First posted on 10 October 2008.
Source: SecurityHomeAliases :
There are no other names known for Trojan-Downloader:W32/Tibs.VX.
Explanation :
This malware downloads files into the system and executes them.
right]Tibs.VX executes netsh.exe, a Windows command line utility, in order to allow the malware to bypass the Windows Firewall.
It sends the following system information to http://pluscount.net:
- Platform
- Service Pack and Version
Files Created
- %windir%system32winds32.exe
- %windir%system32dflgh8jkd2q1.exe
- %windir%system32dflgh8jkd2q2.exe
- %windir%system32dflgh8jkd2q5.exe
- %windir%system32dflgh8jkd2q6.exe
- %windir%system32dflgh8jkd2q7.exe
- %windir%system32dflgh8jkd2q8.exe
- %windir%system32vx.tll
The downloaded files are detected as Trojan:W32/Tibs.NO, Trojan:W32/Tibs.NS, Trojan:W32/Tibs.NQ, Trojan:W32/Tibs.NR, Trojan:W32/Tibs.NP.
The file called winds32.exe is a copy of original sample. The file called vx.tll is a 1 byte file.
Temporary placeholders for the downloaded files:
- %temp%1.dflb
- %temp%2.dflb
- %temp%3.dflb
- %temp%4.dflb
- %temp%5.dflb
- %temp%6.dflb
- %temp%7.dflb
Network
Tibs.VX attempts to download files from:
- http://pluscount.net/[...]/search.jpg
- http://pluscount.net/[...]/winlogon.jpg
- http://pluscount.net/[...]/tibs.jpg
- http://pluscount.net/[...]/null.jpg
- http://pluscount.net/[...]/tool.jpg
- http://pluscount.net/[...]/proxy.jpg
These URLs contain valid JPEG files with the malware code appended on them. The malware code is hidden via an XOR operation.Last update 10 October 2008