Virus:TR/Dldr.Tibs.hh
Date discovered:16/08/2006
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:7.985 Bytes
MD5 checksum:df8c2d130B62917f21bb64d05af187b8
VDF version:6.35.01.100
IVDF version:6.35.01.101

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Trojan.Galapoper.A
   •  Kaspersky: Trojan-Downloader.Win32.Tibs.hh


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Lowers security settings
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\kernels8.exe




It tries to download some files:

– The location is the following:
   • http://uniq-soft.com/pic/**********
It is saved on the local hard drive under: %SYSDIR%\dlh9jkdq1.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

– The location is the following:
   • http://uniq-soft.com/pic/**********
It is saved on the local hard drive under: %SYSDIR%\dlh9jkdq2.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

– The location is the following:
   • http://uniq-soft.com/pic/**********
It is saved on the local hard drive under: %SYSDIR%\dlh9jkdq5.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

– The location is the following:
   • http://uniq-soft.com/pic/**********
It is saved on the local hard drive under: %SYSDIR%\dlh9jkdq6.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

– The location is the following:
   • http://uniq-soft.com/pic/**********
It is saved on the local hard drive under: %SYSDIR%\dlh9jkdq7.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

– The location is the following:
   • http://uniq-soft.com/pic/**********
Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.



It tries to execute the following file:

– Filename:
   • %SYSDIR%\netsh.exe
using the following command line arguments: firewall set allowedprogram %executed file% enable

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • System = %SYSDIR%\kernels8.exe

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • SystemTools = %SYSDIR%\kernels8.exe



The following registry key is changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   New value:
   • DisableTaskMgr = 1

 Backdoor Contact server:
All of the following:
   • http://uniq-soft.com/adv/053/**********
   • http://uniq-soft.com/**********
   • http://uniq-soft.com/dl/**********

As a result it may send information and remote control could be provided. This is done via the HTTP GET request on a PHP script.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Andrei Gherman on Thursday, August 17, 2006
Description updated by Andrei Gherman on Thursday, August 17, 2006

Back . . . .