VirusW32/Tibs.KC!tr
Analysis
- Creates the mutex named killekkdkkd to ensure that only one instance of the virus is executed on the computer.
- Creates a copy of itself to the undefinedSYSTEMundefined folder as alsys.exe.
Autostart Mechanism
- Creates the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run agent = "undefinedSystemundefined\alsys.exe"
Email Propagation
- Spreads by attaching a copy of itself to an email message,which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Having its own SMTP engine allows it to send messages without using any mailing application, such as Microsoft Outlook.
- Gathers target email addresses from the Windows Address Book (WAB).
- The email has the following format:
From: [Name]@[Spoofed domain name]
[Name] can be any of the following:
- Aldora
- Alysia
- Amorita
- Anita
- April
- Aretina
- Barbra
- Becky
- Bella
- Bettina
- Blenda
- Briana
- Bridget
- Caitlin
- Camille
- Carla
- Carmen
- Chelsea
- Clarissa
- Damita
- Danielle
- Daria
- Diana
- Donna
- Doris
- Ebony
- Eliza
- Emily
- Erika
- Evelyn
- Faith
- Gilda
- Gloria
- Haley
- Helga
- Holly
- Idona
- Isabel
- Ivana
- Ivory
- Janet
- Jewel
- Joanna
- Julie
- Juliet
- Kacey
- Kassia
- Katrina
- Laura
- Linda
- Lolita
- Melody
- Nadia
- Naomi
- Natalie
- Nicole
- Olivia
- Pamela
- Peggy
- Queen
- Rachel
- Sharon
- Silver
- Valda
- Valora
- Vanessa
- Vicky
- Violet
- Vivian
- Wendy
- Willa
- Xandra
- Xenia
- Xylia
- Zenia
- Zilya
Subject: One of the following:
- I Love You with All I Am
- The Time for Love
- When You Fall in Love
- Your Love Has Opened
- My Love
- Our Love is Free
- Eternity of Your Love
- I Love You Soo Much
- Wrapped in Your Arms
- Our Love Nest
- Hugging My Pillow
- The Dance of Love
- Falling In Love with You
- Why I Love You ......
Message Body: blank
Attachment: One of the following:
- Flash Postcard.exe
- flash postcard.exe
- greeting postcard.exe
- Greeting Postcard.exe
- greeting card.exe
- Greeting Card.exe
- postcard.exe
- Postcard.exe
Backdoor and/or Trojan Behavior
- Modifies the following value to disable the Shared Access service in Windows 2000/XP:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
Start = 4 (The default value is 3) - Terminate processes whose names contain any of the following strings:
- mcafee
- taskmgr
- hijack
- f-pro
- lockdown
- msconfig
- firewall
- blackice
- avg
- vsmon
- zonea
- spybot
- nod32
- reged
- rav
- nav
- avp
- troja
- viru
- anti
- alsys
- Closes windows that have the title Registry Editor.
Recommended Action
-
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |