W32/Tibs

Summary

This is a large malware family (10000+ discrete detections) with a variety of components and functionality. The first variants of this series were seen as early as 2005. These trojans are designed to download and install a number of other trojans. How they are installed on a machine varies - some can be installed via malicious web sites, while others can be sent via mail or be found on the peer2peer networks. In a handful of documented cases this trojan has also been associated with child pornography. Below is a list of different Tibs-related malware and its functionality.

Downloaders

These variants usually install themselves as %SYSTEM%\kernels64.exe on the local machine; but some variants use names like kernels8.exe or kernels88.exe. They create registry keys to run from startup and every time Explorer is started. In addition, the Task Manager is disabled.

Registry changes:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run “System"=%SYSTEM%\kernels64.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices “SystemTools"=%SYSTEM%\kernels64.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"="Explorer.exe %SYSTEM%\kernels64.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr"= 1

Payload:

They download a set of malware components from a distribution site. These additional components are installed using random file names in the %SYSTEM% folder:

%SITE%\proxy.exe : Downloader for more components
%SITE%\search.exe : Downloader trojan
%SITE%\tibs.exe : Downloader for a porn dialer
%SITE%\tool.exe : Downloader for more components
%SITE%\winlogon.exe : Installer for a rogue spyware application

Some variants do not download directly, but instead access a PHP script which determines which file is to be downloaded. Usually information about the local machine processor and Windows version will be uploaded to the attacker at the same time.

Email address harvesters:

This type of component searches through local files and address books looking for email addresses and posts the findings to a malicious web site. These email addresses are certainly used for spam purposes.

Mail proxies:

By installing a mail proxy, the attacker can send mail through another person’s mailserver. This is very useful for a spammer. Machines infected with this type of trojan will have an open port 25 (SMTP).

Peer-to-peer bot:

Some variants are able to connect to other machines also infected and thus create networks of infected machines. A large amount of these files were spammed out on email shortly after the large storm that hit Europe in January 2007 and the malware was given the name Stormy by some. This is a remote-controllable trojan (bot). It carries with it a list of controlling IP addresses, which it can contact to fetch information about other infected machines, and also register itself as a new peer in the network. Many variants of this also install a rootkit to hide themselves.

Once run, it drops a file with the name wincom32.sys in the %SYSTEM% folder. It then registers this as a service. The trojan may also create a file called wincom32.ini, as well as download and install more malware.

Registry changes:

HKLM\System\CurrentControlSet\Services\wincom
"ImagePath"="C:\WINDOWS\SYSTEM32\wincom32.sys"
"DisplayName"="wincom32"

The trojan communicates with peers on ports 4000, 7871 and 11271.

Email worm installation:

Tibs-related malware may also be downloaded and installed by the Luder email worm/virus combo. Luder drops many copies of itself in various locations, and then adds a small codepiece to innocent applications in such a way that when such infected files are run, the main virus is executed as well.

NOTE: The variables %SITE% and %SYSTEM% refers to specific web sites used, and the Windows System folder, respectively.

Spreading description

This malware is normally spammed out on email or found on trojanized webpages, but some variants are assisted by worm- and viruslike malware.

First components were found already in 2005, but many more have been found since.

Threat description

Tibs is a powerful malware-distribution-tool. The material downloaded usually includes a large amount of ad- and spyware programs, as well as new downloaders again. It is not unusual to find hundreds of various malicious files where Tibs has left its mark. In addition to making the computer almost unusable because of popups and ads, it also sets the computer open to be used as a spamtool, and to be included in further distribution of malware.

Removal

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.