Threat behavior
Trojan:WinNT/Tibs.gen!A is generic detection for drivers used across multiple pieces of malware affiliated with the 'Tibs' malware distribution network. WinNT/Tibs malware uses rootkit methods to hide its presence on an infected computer.
Installation
Trojan:WinNT/Tibs.gen!A is installed by other malware such as Win32/Nuwar, Win32/Vxidl or Win32/Renos. This component may be present as a kernel-mode driver having file names such as the following:
Sfloppy.sys
TDSServ.sys
noskrnl.sys
Detection is an indicator of further malware infection by Win32/Nuwar, Win32/Vxidl and/or Win32/Renos malware families.
Tibs.gen!A also has functionality to hide files and registry keys that may be related to other malware components to avoid detection.
Additional Information
For more information about
Win32/Nuwar or
Win32/Renos, please view our descriptions elsewhere in the encyclopedia.
Analysis by Andrei Florin Saygo
Prevention
