virus logo Virus

W32/Tibs.JR!tr.dldr

description-logoAnalysis

  • Copies itself to undefinedSystemundefined/kernels88.exe.

  • Adds the following value:
    • System="undefinedSystemundefined/kernels88.exe"
    to the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    so that the trojan runs everytime Windows is restarted.
  • Modifies the firewall configuration to add the trojan to the list of allowed programs in order to make sure that the trojan can pass through.

  • Downloads malicious files from the following URLs:
    • http://traffstats.{REMOVED}/pic/tool.jpg
    • http://traffstats.{REMOVED}/pic/search.jpg
    • http://traffstats.{REMOVED}/test.php?adv=XXX
    • http://traffstats.{REMOVED}/pic/tibs.jpg
    • http://traffstats.{REMOVED}/pic/proxy.jpg
    • http://traffstats.{REMOVED}/adv/150/adload.php?a1=XXX
    • http://traffstats.{REMOVED}/dl/adv150.php?adv=XXX
    • http://traffstats.{REMOVED}/pic/winlogon.jpg
    It then saves and executes them.

    recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    Telemetry logoTelemetry

    Detection Availability

    FortiClient
    Extreme
    FortiMail
    Extreme
    FortiSandbox
    Extreme
    FortiWeb
    Extreme
    Web Application Firewall
    Extreme
    FortiIsolator
    Extreme
    FortiDeceptor
    Extreme
    FortiEDR
    ID 328726
    Released Jan 24, 2007
    Description
    Updated    		 Feb 07, 2007
    Aliases Trojan-Downloader.Win32.Tibs.jr , Downloader-ASH , W32/Downloader.AZSL , Win32/TrojanDownloader.Small.AWA trojan , Adware/Adsmart , Trojan.Peed.Gen
    Platform Profile Win32 file format / PE 32 bit
    Profile Type Trojan Downloader (tr.dldr)