Virus:TR/Jorik.Tibs.N
Date discovered:12/07/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:225280 Bytes
MD5 checksum:6736a9477c64d7c345f2b8c71cc79069
IVDF version:7.10.09.71 - Monday, July 12, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan.Win32.Jorik.Tibs.n
   •  Eset: Win32/TrojanDownloader.VB.ORK


Platforms / OS:
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Downloads malicious files

 Files It copies itself to the following location:
   • %APPDATA%\%random character string%.exe



The following file is created:

%temporary internet files%\Content.IE5\A7WRO9QN\ip_query_country[1].xml This is a non malicious text file that contains information about the program itself.



It tries to download some files:

– The location is the following:
   • http://ho**********C.exe
It is saved on the local hard drive under: %APPDATA%\%random character string%.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Agent.MS


– The location is the following:
   • http://ho**********4U.exe
It is saved on the local hard drive under: %APPDATA%\%random character string%.exe Furthermore this file gets executed after it was fully downloaded. At the time of writing it was an updated version of the malware itself. Detected as: TR/Jorik.Tibs.N.1


– The location is the following:
   • http://ho**********STL.exe
It is saved on the local hard drive under: %APPDATA%\%random character string%.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/PCK.Tdss.O.43

Description inserted by Carlos Valero Llabata on Tuesday, July 13, 2010
Description updated by Carlos Valero Llabata on Tuesday, July 13, 2010

Back . . . .