virus logo Virus

W32/Tibs.KB!tr

description-logoAnalysis

  • Creates the mutex named klllekkdkkd  to ensure that only one instance of the virus is executed on the computer.

  • Creates a copy of itself to the undefinedSYSTEMundefined folder named alsys.exe.

  • Adds the following registry:
    • key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • value: Agent
    • data: "undefinedSYSTEMundefined\alsys.exe"
    • key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • value: Agent
    • data: "undefinedSYSTEMundefined\alsys.exe"
  • Modifies the following registry:
    • key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
    • value: Start
    • data: dword:4
  • Creates a file {RANDOM}.exe  in the current directory then executes it. {RANDOM} consists of seven random characters.

  • Attempts to terminate security-related processes with the following strings in their names:
    • anti
    • avg
    • avp
    • blackice
    • firewall
    • f-pro
    • hijack
    • lockdown
    • mcafee
    • msconfig
    • nav
    • nod32
    • rav
    • reged
    • spybot
    • taskmgr
    • troja
    • viru
    • vsmon
    • zonea

    Email Propagation
  • The worm harvests email addresses from files on the disk and uses its own SMTP engine to send itself to those addresses.

  • Avoids sending a copy of itself to email addresses that contain any of the following strings:
    • .mil
    • .gov
    • microsoft
  • The email has the following characteristics:
    From: One of the following:
    • Aldora
    • Alysia
    • Amorita
    • Anita
    • April
    • Ara
    • Aretina
    • Barbra
    • Becky
    • Bella
    • Bettina
    • Blenda
    • Briana
    • Bridget
    • Caitlin
    • Camille
    • Cara
    • Carla
    • Carmen
    • Chelsea
    • Clarissa
    • Damita
      ...
    Subject: One of the following:
    • I Love You with All I Am
    • I Still Love You
    • I Think of You
    • I Win with You
    • I wish
    • I Woof You
    • I Would Do Anything
    • I Would Give you Anything
    • If I Could
    • If I Knew
    • I'll Be Your Man
    • In Love
    • In My Heart
    • Inside My Heart
    • Internet Love
    • It's Your Move
    • Just You
    • Just You & Me
    • Kiss Coupon
      ...
    Message body: blank
    Attachment: one of the following
    • Flash Postcard.exe
    • flash postcard.exe
    • greeting card.exe
    • Greeting Card.exe
    • greeting postcard.exe
    • Greeting Postcard.exe
    • postcard.exe
    • Postcard.exe

    • recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    Telemetry logoTelemetry

    Detection Availability

    FortiClient
    Extreme
    FortiMail
    Extreme
    FortiSandbox
    Extreme
    FortiWeb
    Extreme
    Web Application Firewall
    Extreme
    FortiIsolator
    Extreme
    FortiDeceptor
    Extreme
    FortiEDR
    ID 328343
    Released Jan 25, 2007
    Description
    Updated    		 Jan 31, 2007
    Aliases Trojan-Downloader.Win32.Small.ciw, Downloader-BAI.gen trojan, WORM_NUWAR.CQ, W32/Tibs.RG, Win32/Nuwar.U worm
    Platform Profile Win32 file format / PE 32 bit