Threat behavior
Trojan:Win32/Tibs.DV is a Trojan that allows unauthorized access to an infected computer. The Trojan receives commands indirectly from a remote attacker via its connection to a malicious peer-to-peer network. This Trojan also contains advanced stealth functionality that allows it to hide particular files, folders and processes.
When executed, Trojan:Win32/Tibs.DV peforms the following actions.
-
Copies itself to %windir%\spooldr.exe
-
Creates a configuration file %windir%\spooldr.ini which contains a list of peers to connect to initially (see "Backdoor Functionality" section below for further detail).
-
Drops a kernel driver <system folder>\spooldr.sys. The driver is then installed, using the file name, minus the extension, as the display name.
-
Attempts to modify tcpip.sys. This modification will load the driver <system folder>\spooldr.sys. The two targeted files are <system folder>\dllcache\tcpip.sys and <system folder>\drivers\tcpip.sys.
-
Attempts to modify Windows Time configuration settings.
Note: <system folder> refers to the Windows system folder. The default location of the Windows system folder is C:\Windows\System32 (Windows XP, Vista); C:\Winnt\System32 (Windows NT/2000), C:\Windows\System (Windows 95/98/ME).
Trojan:Win32/Tibs.DV takes several measures in order to lower security settings and evade detection on the infected computer, including the following:
Advanced Stealth Features
The driver, "spooldr.sys", hides files, folders and processes beginning with the string "spooldr" by hooking the following function:
Backdoor Functionality
The Trojan attempts to join a malicious peer-to-peer network, where directives can be exchanged between like peers. Once connected to the network, active peers can be instructed to perform several actions including:
-
gathering e-mail addresses from files with the following extensions on all fixed drives on the affected machine:
.adb
.asp
.cfg
.cgi
.dat
.dbx
.dhtm
.eml
.htm
.jsp
.lst
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml
However, the Trojan avoids addresses that contain the following substrings:
@avp.
@foo
@iana
@messagelab
@microsoft
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip
-
Perform Denial of Service (DoS) attacks.
-
Compose and send e-mail to addresses that may be supplied via the peer-to-peer network. This function can be used to send spam or to distribute additional malicious threats.
-
Downloading and executing arbitrary files, including files with which to update itself.
Prevention