[INFO] AnalystName=Chandra Mohan. G AnalystEMailID=gmohan@comodo.com Team=India Date=18-JAN-2010 Type=TrojWare Platform=Win32 SubType=PornDownloader Family=TibSystems Variant=A [OVERVIEW] This is a WebSiteViewer program ,also called as Porn dialer or TIB Browser. [TECHNICAL_DESCRIPTION] Registry Values Added: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TIBS Loader = %SYSDIR%\%six digit random number%.exe HKEY_CURRENT_USER\Software\WebSiteViewer\Settings HKEY_CURRENT_USER\Software\WebSiteViewer\Settings\lc = "9" HKEY_CURRENT_USER\Software\WebSiteViewer\Settings\lang = "" Obtains Internet Explorer version by querying value of "version" subkey of "HKLM\Software\Microsoft\Internet Explorer" then, it assigns valuea for the following: prog = ldr (loader) ver = 4.000 (loader version) code = 10 (default) info = 0 (default) aid = %six digit random number% skid = 1 (default) langid = "" winver = %value of windows and IE version as optained above% ci = 1-52 (default) Files Added: %SYSDIR%\%6-digit random number%.exe(copy of itself) %Six digit random number%.dlr %Six digit random number%.dd %Six digit random number%.ban %Six digit random number%.ico FolderAdded: "%SystemDrive%\Program Files\WebSiteViewer" Registers window class with name as "tdlwin" and creates a window which shows the following window title; "Please wait while we prepare the plugin" Creates a lnk file in %ALLUSERSPROFILE%\Desktop directory as like following %ALLUSERSPROFILE%\Desktop\TIBS Loader.lnk Creates the following URL with obtained values and opens it in Internet Explorer. http://www.dialeradmin.com/cgi-bin/err4.cgi?prog=ldr&ver=4.000&code=10&info=0&aid=125236&skid=&langid=&winver=Windows+NT+5.1;2600;6.0.2600.0000&ci=1-52 [SYMPTOMS] Display of a window with title "Please wait while we prepare the plugin" A directory exists with name as "WebSiteViewer" in "%SystemDrive%\Program Files" Presense of "WebSiteViewer\Settings" registry key in "HKEY_CURRENT_USER\Software" Network traffic to "www.dialeradmin.com" and "download.tibsystems.com" [DISINFECTION] Delete the folder %SystemDrive%\Program Files\WebSiteViewer. Remove the registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TIBS Loader" Remove the registry key "HKEY_CURRENT_USER\Software\WebSiteViewer"