Virus

W32/Tibs.KA!tr

Analysis

  • Copies itself to the System folder as kernels88.exe.
    Autostart Mechanism
  • Creates the following registry entry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      System = undefinedSystem32\kernels88.exe"

    Other Behavior
  • Connects to the the web site http://traf{REMOVED}.biz/  and sends information such as the following:
    • location
    • processor type
    • operating system version

  • Connects to the URL http://207.{REMOVED}/SF/QgaHo26bYGF6678TGUu, downloads several files and saves them as the following:
    • undefinedTemporaryundefined\1.dllb
    • undefinedTemporaryundefined\2.dllb
    • undefinedTemporaryundefined\3.dllb
    • undefinedTemporaryundefined\4.dllb
    • undefinedTemporaryundefined\5.dllb
    • undefinedTemporaryundefined\6.dllb
    • undefinedTemporaryundefined\7.dllb
    • undefinedTemporaryundefined\h91746.exe
    • undefinedTemporaryundefined\maxdd1.game
    • C:\WINDOWS\System32\dlh9jkd1q1.exe
    • C:\WINDOWS\System32\dlh9jkd1q2.exe
    • C:\WINDOWS\System32\dlh9jkd1q5.exe
    • C:\WINDOWS\System32\dlh9jkd1q6.exe
    • C:\WINDOWS\System32\dlh9jkd1q7.exe
    • C:\WINDOWS\System32\dlh9jkd1q8.exe
    • C:\WINDOWS\system32\kdhzkcj.dll
    • C:\WINDOWS\system32\kernels1118.exe
    • C:\WINDOWS\system32\maxd641.exe
    • C:\WINDOWS\system32\ozgdeik.dll
    • C:\WINDOWS\System32\vx.tll

  • Creates the following registry entries:
    HKEY_CLASSES_ROOT\CLSID\{2E06C924-D29E-75F5-511D-06561F708165}
    HKEY_CURRENT_USER\Software\AdwareDisableKey4
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
      DisableTaskMgr = dword:00000001
    HKEY_LOCAL_MACHINE\SOFTWARE\AdwareDisableKey4
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E06C924-D29E-75F5-511D-06561F708165}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E06C924-D29E-75F5-511D-06561F708165}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      System = "C:\WINDOWS\System32\kernels1118.exe"
      ozgdeik.dll = "C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\User\Local Settings\Application Data\ozgdeik.dll",zlcahvb"
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
      PendingFileRenameOperations = "\??\undefinedTemporaryundefined\h91746.exe "

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.