TROJ_TIBS.BWD
Windows 2000, XP, Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
TECHNICAL DETAILS
Installation
This Trojan drops the following copies of itself into the affected system:
- %System%\YUR1.exe
- %System Root%\x
- %System%\YUR3.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
\\YUR1.exe = "%System%\YUR1.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
\\YUR1.exe = "%System%\YUR1.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
\\YUR3.exe = "%System%\YUR3.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
\\YUR3.exe = "%System%\YUR3.exe"
Dropping Routine
This Trojan drops the following files:
- %Desktop%\BEST BDSM PORN.url
- %Desktop%\GAY FETISH SEX.url
(Note: %Desktop% is the current user's desktop, which is usually C:\Windows\Profiles\{user name}\Desktop on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Desktop on Windows NT, and C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003.)