Trojan.Tibs.E

( TR/Tibs.E, Troj/DwnLdr-CBY, Trj/Gagar.I, TROJ_GALAPOPER.A, Downloader-ZQ )

SYMPTOMS:

• Unrecognized processes running in the background and requesting internet access (observable if a personal firewall is installed). Some processes that can be found on an infected machine are: ipor.raw.exe, taskdir~.exe (these are just examples and can change because the trojan contains an update feature)
• Presence of the files svcp.csv and / or winsub.xml in the system directory
  

TECHNICAL DESCRIPTION:

This is a downloader trojan. Upon startup it checks if it's already running using a mutex named "gagagaradio". If it's already running, it exists. Otherwise it contacts downloads an encrypted file from http://81.177.[[removed]]/cntrl.php?[[removed]]. This encrypted file contains the links to other files which will be downloaded and executet. Currently this trojan downloads two files identified as Trojan.Agent.ON and Trojan.Proxy.Lager.BI, however this can change if the configuration on the remote server is changed. The trojan attempts to contact the computer with IP address 208.36.123.14 on port 25.

Removal instructions:

Please let BitDefender delete your files.

ANALYZED BY:

Attila Balazs, virus researcher