Full description

Virus:	TR/Dldr.Tibs.C
Date discovered:	25/07/2006
Type:	Trojan
Subtype:	Downloader
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low to medium
Static file:	Yes
File size:	7.971 Bytes
MD5 checksum:	8937c080da4312f7b49ee997f4b53185
VDF version:	6.35.01.00 - Tuesday, July 25, 2006
IVDF version:	6.35.01.00 - Tuesday, July 25, 2006

General Method of propagation:
   • No own spreading routine

Aliases:
   • Kaspersky: Trojan-Downloader.Win32.Tibs.gc
   • VirusBuster: trojan Trojan.DL.Tibs.DQ

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads malicious files
   • Lowers security settings
   • Registry modification
   • Steals information

Right after execution the following information is displayed:

Files It copies itself to the following location:
   • %SYSDIR%\kernels8.exe

The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %TEMPDIR%\%number%.dlb

– %WINDIR%\xpupdate.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Tibs.C

– %PROGRAM FILES%\BraveSentry\BraveSentry.exe
– %PROGRAM FILES%\BraveSentry\BraveSentry0.bs
– %PROGRAM FILES%\BraveSentry\BraveSentry0.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/SearchAssistant.H

– %PROGRAM FILES%\BraveSentry\BraveSentry1.bs
– %PROGRAM FILES%\BraveSentry\BraveSentry1.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/SpyTrooper.2

– %PROGRAM FILES%\BraveSentry\BraveSentry2.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Bravesentry.H

– %PROGRAM FILES%\BraveSentry\BraveSentry3.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/BraveSentry.A

– %PROGRAM FILES%\BraveSentry\Uninstall.exe
– %PROGRAM FILES%\BraveSentry\BraveSentry.lic
– %WINDIR%\desktop.html
– %APPDATA%\Microsoft\Internet Explorer\Desktop.htt

It tries to download some files:

– The location is the following:
   • http://proffy209.com/pic/**********
It is saved on the local hard drive under: %SYSDIR%\dlh9jkdq6.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.F.Gen

– The location is the following:
   • http://proffy209.com/pic/**********
It is saved on the local hard drive under: %SYSDIR%\dlh9jkdq1.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Small.agq.4

– The location is the following:
   • http://proffy209.com/**********
It is saved on the local hard drive under: %SYSDIR%\dlh9jkdq8.exe

– The location is the following:
   • http://proffy209.com/pic/**********
It is saved on the local hard drive under: %SYSDIR%\dlh9jkdq5.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Small.agq.4

– The location is the following:
   • http://proffy209.com/pic/**********
It is saved on the local hard drive under: %SYSDIR%\dlh9jkdq7.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.F.Gen

– The location is the following:
   • http://proffy209.com/pic/**********
It is saved on the local hard drive under: %SYSDIR%\dlh9jkdq2.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Tibs.C

– The location is the following:
   • http://proffy209.com/dl/**********
It is saved on the local hard drive under: %SYSDIR%\vx.tll

– The location is the following:
   • http://download.bravesentry.com/**********
It is saved on the local hard drive under: %APPDATA%\Install.dat

It tries to execute the following file:

– Filename:
   • netsh
using the following command line arguments: firewall set allowedprogram '%malware execution directory%\%executed file%' enable

Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "System"="%SYSDIR%\kernels8.exe"
   • "Windows update loader"="%WINDIR%\xpupdate.exe"

The values of the following registry keys are removed:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
   • "AutoConfigURL"
   • "ProxyOverride"
   • "ProxyServer"

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "con"

– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
   • "NoDesktop"

The following registry keys are added:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
   • "DisableTaskMgr"=dword:00000001
   • "Wallpaper"="%WINDIR%\desktop.html"

– HKLM\Software\Microsoft\DownloadManager
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
   • "ForceActiveDesktopOn"=dword:00000001
   • "ClassicShell"=dword:00000000
   • "NoActiveDesktop"=dword:00000000

– HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
   • "GeneralFlags"=dword:00000000
   • "Settings"=dword:00000001
   • "DeskHtmlMinorVersion"=dword:00000005
   • "DeskHtmlVersion"=dword:00000110

– HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0
   • "RestoredStateInfo"=" hex values"
   • "OriginalStateInfo"="hex values"
   • "CurrentState"=dword:40000004
   • "Position"="hex values"
   • "Flags"=dword:00000002
   • "FriendlyName"="My Current Home Page"
   • "SubscribedURL"="About:Home"
   • "Source"="About:Home"

– HKCU\Control Panel\Desktop
   • "Pattern"=""
   • "WallpaperStyle"="2"
   • "TileWallpaper"="0"

– HKLM\SOFTWARE\Microsoft\Internet Explorer\Desktop
– HKLM\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
   • "WallpaperLocalFileTime"="hex values"
   • "WallpaperFileTime"="hex values"

– HKCU\Software\Microsoft\Internet Explorer\Desktop\General
   • "WallpaperFileTime"=%hex values%
   • "ComponentsPositioned"=dword:00000002
   • "TileWallpaper"="0"
   • "WallpaperStyle"="2"

– HKCU\SOFTWARE\Install
– HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
   ActiveDesktop
   • "NoHTMLWallPaper"=dword:00000000
   • "NoEditingComponents"=dword:00000000
   • "NoDeletingComponents"=dword:00000000
   • "NoAddingComponents"=dword:00000000
   • NoComponents"=dword:00000000
   • "NoChangingWallpaper"=dword:00000000

Backdoor The following:
   • http://proffy209.com/adv/195/**********

As a result it may send some information. This is done via the HTTP GET request on a PHP script.

Sends information about:
    • CPU type
    • Current malware status
    • Platform ID
    • Information about the Windows operating system

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Marius T. Nicolae on Thursday, July 27, 2006
Description updated by Marius T. Nicolae on Tuesday, August 1, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools