Thread: A festival of malware in pcsurg.rar
View Single Post
  #2 (permalink)  
Old March 8th, 2005
sammi
Guest
  
Posts: n/a
Exclamation Speak of the Devil...
Here I am, bravely going forth to complete my task (see what happens when you download a trial programs from a reputable site like downloads.com, only to find that when you try and use it, the only thing it will say is "trial period expired"?)

Anyway, I was also hoping to run into that nasty rar again *combative look*

I look to my results, and find PC Surgeon Crack, an exe, 263kb. However, it contains a lovely little worm called W32.Tibick.

From Symantec:
W32.Tibick is a worm that propagates through file-sharing networks. This worm also connects to an IRC channel and listens for messages from the attacker.

Also Known As: Worm.P2P.Tibick [Kaspersky]

Type: Worm
Infection Length: 12,820, vary
When W32.Tibick executes, it does the following:

Copies itself as %System%\svcnet.exe.

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Adds the value:

"System Restore" = "svcnet.exe" to one of these registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

so that the worm runs when you start Windows.

Creates a folder named %Windir%\msview and copies itself as multiple file names (here they name all sorts of files one might find at a file sharing site).
Modifies the settings of various file-sharing applications, if present, to use the newly created folder as the default sharing folder. This applies to the following applications:

Kazaa
iMesh
Morpheus
wareo
eMule
DC++


The worm may also update itself when a new version is available.

This seemed familiar, so I looked at my incomplete dl's - it was the file responsible for the W32.Tibick I mentioned in my 1st posting! Here it is, just lurking & waiting for another victim!

I blocked the sender, 208.191.143.130. In 2 days time, even the densest of people would have noticed the changes (mentioned above), in their system. Several of the anti-malware, antivirus pgms I used were free ones on the web. There really is no excuse for ignorance in this matter!

I don't understand deliberate, casual cruelty, especially to those who you have never even met. Is there any other way a worm-bearing file could still be around 2 days later, unless its deliberate?
Reply With Quote