[virusinfo] Troj/HideDial-E

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Mon, 28 Mar 2005 10:24:10 -0800

From; Sophos Alert System:

Name: Troj/HideDial-E
Aliases: Generic BackDoor.o, Trojan-Downloader.Win32.Tibser.c,
Trojan.Downloader.Tibser-3
Type: Trojan
Date: 28 March 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2005 (3.93) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received a small number of
reports of this Trojan from the wild.


Note: The IDE file issued for Troj/HideDial-E on 28 March at
16:00 GMT also contained detection for Troj/Riler-F,
Troj/Pisaboy-A, Troj/Exemas-A, Troj/Skulls-F, Troj/Locknut-B,
XM97/Yini-A and Troj/Agent-CS. This IDE has now been updated to
enhance detection of Troj/Agent-CS.

Information about Troj/HideDial-E can be found at:
http://www.sophos.com/virusinfo/analyses/trojhidediale.html

Troj/HideDial-E is a dialler-related Trojan. 
Troj/HideDial-E drops and runs a dialler (detected by Sophos as Dial/Tibsys-A) 
which attempts to connect to a premium-rate phone number for pornographic 
material. The Trojan runs in the background and attempts to conceal the dialler 
application by hiding windows that the dialler would usually display. 
Troj/HideDial-E copies itself to the Windows system folder as TIBS3.EXE and 
creates the following registry entry in order to run itself on system logon or 
startup: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
tibs3
<Windows system>\tibs3.exe 
The dialler is dropped in the Windows system folder as _T.EXE. 
The Trojan may also create or alter registry entries in the following location: 
HKCU\Software\WebSiteViewer 
The Trojan may drop and run a file TIBS3.BAT to delete the original file after 
it is copied to and executed within the Windows system folder. 

This IDE file also includes detection for:

Troj/Riler-F
http://www.sophos.com/virusinfo/analyses/trojrilerf.html
Troj/Pisaboy-A
http://www.sophos.com/virusinfo/analyses/trojpisaboya.html
Troj/Exemas-A
http://www.sophos.com/virusinfo/analyses/trojexemasa.html
Troj/Skulls-F
http://www.sophos.com/virusinfo/analyses/trojskullsf.html
Troj/Locknut-B
http://www.sophos.com/virusinfo/analyses/trojlocknutb.html
XM97/Yini-A
http://www.sophos.com/virusinfo/analyses/xm97yinia.html
Troj/Agent-CS
http://www.sophos.com/virusinfo/analyses/trojagentcs.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/hidedi-e.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Troj/HideDial-E
• » [virusinfo] Troj/HideDial-E

1. Home
2. virusinfo
3. Archive
4. 03-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---