Virus:TR/Dldr.Tibs.C
Date discovered:25/07/2006
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:7.971 Bytes
MD5 checksum:8937c080da4312f7b49ee997f4b53185
VDF version:6.35.01.00 - Tuesday, July 25, 2006
IVDF version:6.35.01.00 - Tuesday, July 25, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Downloader.Win32.Tibs.gc
   •  VirusBuster: trojan Trojan.DL.Tibs.DQ


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Lowers security settings
   • Registry modification
   • Steals information


Right after execution the following information is displayed:


 Files It copies itself to the following location:
   • %SYSDIR%\kernels8.exe



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %TEMPDIR%\%number%.dlb

%WINDIR%\xpupdate.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Tibs.C

%PROGRAM FILES%\BraveSentry\BraveSentry.exe
%PROGRAM FILES%\BraveSentry\BraveSentry0.bs
%PROGRAM FILES%\BraveSentry\BraveSentry0.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/SearchAssistant.H

%PROGRAM FILES%\BraveSentry\BraveSentry1.bs
%PROGRAM FILES%\BraveSentry\BraveSentry1.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/SpyTrooper.2

%PROGRAM FILES%\BraveSentry\BraveSentry2.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Bravesentry.H

%PROGRAM FILES%\BraveSentry\BraveSentry3.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/BraveSentry.A

%PROGRAM FILES%\BraveSentry\Uninstall.exe
%PROGRAM FILES%\BraveSentry\BraveSentry.lic
%WINDIR%\desktop.html
– %APPDATA%\Microsoft\Internet Explorer\Desktop.htt



It tries to download some files:

– The location is the following:
   • http://proffy209.com/pic/**********
It is saved on the local hard drive under: %SYSDIR%\dlh9jkdq6.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.F.Gen


– The location is the following:
   • http://proffy209.com/pic/**********
It is saved on the local hard drive under: %SYSDIR%\dlh9jkdq1.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Small.agq.4


– The location is the following:
   • http://proffy209.com/**********
It is saved on the local hard drive under: %SYSDIR%\dlh9jkdq8.exe

– The location is the following:
   • http://proffy209.com/pic/**********
It is saved on the local hard drive under: %SYSDIR%\dlh9jkdq5.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Small.agq.4


– The location is the following:
   • http://proffy209.com/pic/**********
It is saved on the local hard drive under: %SYSDIR%\dlh9jkdq7.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.F.Gen


– The location is the following:
   • http://proffy209.com/pic/**********
It is saved on the local hard drive under: %SYSDIR%\dlh9jkdq2.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Tibs.C


– The location is the following:
   • http://proffy209.com/dl/**********
It is saved on the local hard drive under: %SYSDIR%\vx.tll

– The location is the following:
   • http://download.bravesentry.com/**********
It is saved on the local hard drive under: %APPDATA%\Install.dat



It tries to execute the following file:

– Filename:
   • netsh
using the following command line arguments: firewall set allowedprogram '%malware execution directory%\%executed file%' enable

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "System"="%SYSDIR%\kernels8.exe"
   • "Windows update loader"="%WINDIR%\xpupdate.exe"



The values of the following registry keys are removed:

–  HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
   • "AutoConfigURL"
   • "ProxyOverride"
   • "ProxyServer"

–  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "con"

–  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
   • "NoDesktop"



The following registry keys are added:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
   • "DisableTaskMgr"=dword:00000001
   • "Wallpaper"="%WINDIR%\desktop.html"

– HKLM\Software\Microsoft\DownloadManager
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
   • "ForceActiveDesktopOn"=dword:00000001
   • "ClassicShell"=dword:00000000
   • "NoActiveDesktop"=dword:00000000

– HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
   • "GeneralFlags"=dword:00000000
   • "Settings"=dword:00000001
   • "DeskHtmlMinorVersion"=dword:00000005
   • "DeskHtmlVersion"=dword:00000110

– HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0
   • "RestoredStateInfo"=" hex values"
   • "OriginalStateInfo"="hex values"
   • "CurrentState"=dword:40000004
   • "Position"="hex values"
   • "Flags"=dword:00000002
   • "FriendlyName"="My Current Home Page"
   • "SubscribedURL"="About:Home"
   • "Source"="About:Home"

– HKCU\Control Panel\Desktop
   • "Pattern"=""
   • "WallpaperStyle"="2"
   • "TileWallpaper"="0"

– HKLM\SOFTWARE\Microsoft\Internet Explorer\Desktop
– HKLM\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
   • "WallpaperLocalFileTime"="hex values"
   • "WallpaperFileTime"="hex values"

– HKCU\Software\Microsoft\Internet Explorer\Desktop\General
   • "WallpaperFileTime"=%hex values%
   • "ComponentsPositioned"=dword:00000002
   • "TileWallpaper"="0"
   • "WallpaperStyle"="2"

– HKCU\SOFTWARE\Install
– HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
   ActiveDesktop
   • "NoHTMLWallPaper"=dword:00000000
   • "NoEditingComponents"=dword:00000000
   • "NoDeletingComponents"=dword:00000000
   • "NoAddingComponents"=dword:00000000
   • NoComponents"=dword:00000000
   • "NoChangingWallpaper"=dword:00000000

 Backdoor The following:
   • http://proffy209.com/adv/195/**********

As a result it may send some information. This is done via the HTTP GET request on a PHP script.


Sends information about:
    • CPU type
    • Current malware status
    • Platform ID
    • Information about the Windows operating system

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Marius T. Nicolae on Thursday, July 27, 2006
Description updated by Marius T. Nicolae on Tuesday, August 1, 2006

Back . . . .