Content

W32/Kibik.a

Type
Virus
SubType
Win32
Discovery Date
11/09/2006
Length
Varies
Minimum DAT
4892 (11/09/2006)
Updated DAT
4894 (11/13/2006)
Minimum Engine
5.1.00
Description Added
11/09/2006
Description Modified
11/15/2006 7:46 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

The W32/Kibik.a detection covers rogue copies of explorer.exe that are patched by W32/Kibik.dr. This virus was most recently caught spreading in the wild through a malicious website hosting Exploit-XMLCoreSrvcs.

Once explorer.exe is restarted or the system is rebooted, the rogue explorer.exe (W32/Kibik.a) is loaded into memory. When run, W32/Kibik.a loads and injects a thread from W32/Kibik.dll into the following running processes where available:

  • explorer.exe
  • iexplorer.exe
  • firefox.exe
  • opera.exe
  • avp.exe

These processes typically have permissions to access the Internet, in an attempt to bypass desktop firewall policies.

W32/Kibik.dll performs a search on Google Blog Search using a hardcoded unique string. Currently, this search request does not yield any results on Google, but can possibly be used at a later time to download additional instructions or malware. Unlike Google Search, Google Blog Search may more specifically link to blog sites via RSS or Atom feeds.

It also contacts a CGI script hosted on the following domain:

  • digiwexonline.com

At the time of writing, this website is not responding with data. It may also have been used to simply track the locations and number of infections.

Symptoms

Presence of one or more of the following file(s):

  • %Windir%\i386\explorer.exe
  • %Windir%\i386\explorer.ex_ (Cabinet archive)
  • %Windir%\eee.tmp
  • %Windir%\System32\dllcache\eee.tmp
  • %Windir%\System32\PEw7.wsc (containing a URL)
  • %Windir%\System32\(random).dll

(Typically, the i386 folder resides on the drive/media where Windows was installed from, e.g. D:\I386. It may also be a folder predetermined by the administrator on a local disk)

Modifications of the following file(s):

  • %Windir%\explorer.exe
  • %Windir%\System32\dllcache\explorer.exe
  • %Windir%\LastGood\explorer.exe

(As W32/Kibik.dr seeks for available unused segments in the explorer.exe file, there will be no distinction in filesize between the original and modified versions. However, hash value of these files will be different.)

Unexpected HTTP connections to the following URL(s):

  • http://(hidden).digiwexonline.com/(hidden)
  • http://www.google.com/blogsearch?hl=en&q=(hidden)

Modification of the following Windows registry key(s):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Setup\"SourcePath" = "%Windir%"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Setup\"ServicePackSourcePath" = "%Windir%"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\"SourcePath" = "%Windir%\i386"

The keys ensures that the rogue explorer.exe are "recovered" from the predetermined locations when %Windir%\explorer.exe is being overwritten or deleted.

(Where %Windir% refers to the Windows folder, e.g. C:\Windows)

Method of Infection

This virus is most recently installed in the wild through a malicious website hosting Exploit-XMLCoreSrvcs). A copy of W32/Kibik.dr is downloaded by the exploit which patches local copies of explorer.exe, to become W32/Kibik.a.

W32/Kibik.dr may also be propogated via other means, such as spammed e-mail, or document exploits.

 

Removal

Use current engine and DAT files for detection and removal.

To repair the infected EXPLORER.EXE system file that is running in memory, restart Windows into "Safe Mode with Command Prompt" and scanning with the command-line scanner. Use the command-line scanner such as:

"SCAN.EXE C: /CLEAN /ALL"

Additional Windows ME/XP removal considerations

System configurations that are overwritten by W32/Kibik should be manually restored to the original state.

 

Variants

Variants

    N/A

All Information

Overview -

The W32/Kibik.a detection covers rogue copies of explorer.exe that are patched by W32/Kibik.dr. This virus was most recently caught spreading in the wild through a malicious website hosting Exploit-XMLCoreSrvcs.

Characteristics

Characteristics -

The W32/Kibik.a detection covers rogue copies of explorer.exe that are patched by W32/Kibik.dr. This virus was most recently caught spreading in the wild through a malicious website hosting Exploit-XMLCoreSrvcs.

Once explorer.exe is restarted or the system is rebooted, the rogue explorer.exe (W32/Kibik.a) is loaded into memory. When run, W32/Kibik.a loads and injects a thread from W32/Kibik.dll into the following running processes where available:

  • explorer.exe
  • iexplorer.exe
  • firefox.exe
  • opera.exe
  • avp.exe

These processes typically have permissions to access the Internet, in an attempt to bypass desktop firewall policies.

W32/Kibik.dll performs a search on Google Blog Search using a hardcoded unique string. Currently, this search request does not yield any results on Google, but can possibly be used at a later time to download additional instructions or malware. Unlike Google Search, Google Blog Search may more specifically link to blog sites via RSS or Atom feeds.

It also contacts a CGI script hosted on the following domain:

  • digiwexonline.com

At the time of writing, this website is not responding with data. It may also have been used to simply track the locations and number of infections.

Symptoms

Symptoms -

Presence of one or more of the following file(s):

  • %Windir%\i386\explorer.exe
  • %Windir%\i386\explorer.ex_ (Cabinet archive)
  • %Windir%\eee.tmp
  • %Windir%\System32\dllcache\eee.tmp
  • %Windir%\System32\PEw7.wsc (containing a URL)
  • %Windir%\System32\(random).dll

(Typically, the i386 folder resides on the drive/media where Windows was installed from, e.g. D:\I386. It may also be a folder predetermined by the administrator on a local disk)

Modifications of the following file(s):

  • %Windir%\explorer.exe
  • %Windir%\System32\dllcache\explorer.exe
  • %Windir%\LastGood\explorer.exe

(As W32/Kibik.dr seeks for available unused segments in the explorer.exe file, there will be no distinction in filesize between the original and modified versions. However, hash value of these files will be different.)

Unexpected HTTP connections to the following URL(s):

  • http://(hidden).digiwexonline.com/(hidden)
  • http://www.google.com/blogsearch?hl=en&q=(hidden)

Modification of the following Windows registry key(s):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Setup\"SourcePath" = "%Windir%"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Setup\"ServicePackSourcePath" = "%Windir%"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\"SourcePath" = "%Windir%\i386"

The keys ensures that the rogue explorer.exe are "recovered" from the predetermined locations when %Windir%\explorer.exe is being overwritten or deleted.

(Where %Windir% refers to the Windows folder, e.g. C:\Windows)

Method of Infection

Method of Infection -

This virus is most recently installed in the wild through a malicious website hosting Exploit-XMLCoreSrvcs). A copy of W32/Kibik.dr is downloaded by the exploit which patches local copies of explorer.exe, to become W32/Kibik.a.

W32/Kibik.dr may also be propogated via other means, such as spammed e-mail, or document exploits.

 

Removal -

Removal -

Use current engine and DAT files for detection and removal.

To repair the infected EXPLORER.EXE system file that is running in memory, restart Windows into "Safe Mode with Command Prompt" and scanning with the command-line scanner. Use the command-line scanner such as:

"SCAN.EXE C: /CLEAN /ALL"

Additional Windows ME/XP removal considerations

System configurations that are overwritten by W32/Kibik should be manually restored to the original state.

 

Variants

Variants -

    N/A