W32/Tibs.KA!tr
Analysis
- Copies itself to the System folder as kernels88.exe.
Autostart Mechanism
- Creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System = undefinedSystem32\kernels88.exe"
Other Behavior
- Connects to the the web site http://traf{REMOVED}.biz/ and sends information such as the following:
- location
- processor type
- operating system version
- Connects to the URL http://207.{REMOVED}/SF/QgaHo26bYGF6678TGUu, downloads several files and saves them as the following:
- undefinedTemporaryundefined\1.dllb
- undefinedTemporaryundefined\2.dllb
- undefinedTemporaryundefined\3.dllb
- undefinedTemporaryundefined\4.dllb
- undefinedTemporaryundefined\5.dllb
- undefinedTemporaryundefined\6.dllb
- undefinedTemporaryundefined\7.dllb
- undefinedTemporaryundefined\h91746.exe
- undefinedTemporaryundefined\maxdd1.game
- C:\WINDOWS\System32\dlh9jkd1q1.exe
- C:\WINDOWS\System32\dlh9jkd1q2.exe
- C:\WINDOWS\System32\dlh9jkd1q5.exe
- C:\WINDOWS\System32\dlh9jkd1q6.exe
- C:\WINDOWS\System32\dlh9jkd1q7.exe
- C:\WINDOWS\System32\dlh9jkd1q8.exe
- C:\WINDOWS\system32\kdhzkcj.dll
- C:\WINDOWS\system32\kernels1118.exe
- C:\WINDOWS\system32\maxd641.exe
- C:\WINDOWS\system32\ozgdeik.dll
- C:\WINDOWS\System32\vx.tll
- Creates the following registry entries:
HKEY_CLASSES_ROOT\CLSID\{2E06C924-D29E-75F5-511D-06561F708165}
HKEY_CURRENT_USER\Software\AdwareDisableKey4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr = dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\AdwareDisableKey4
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E06C924-D29E-75F5-511D-06561F708165}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E06C924-D29E-75F5-511D-06561F708165}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System = "C:\WINDOWS\System32\kernels1118.exe"
ozgdeik.dll = "C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\User\Local Settings\Application Data\ozgdeik.dll",zlcahvb"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
PendingFileRenameOperations = "\??\undefinedTemporaryundefined\h91746.exe "
Recommended Action
-
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |