Content

W32/Kibik.dr

Type
Virus
SubType
Dropper
Discovery Date
11/09/2006
Length
27,136 bytes
Minimum DAT
4892 (11/09/2006)
Updated DAT
5193 (12/26/2007)
Minimum Engine
5.1.00
Description Added
11/09/2006
Description Modified
11/15/2006 7:42 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

The W32/Kibik.dr detection covers a virus that overwrites explorer.exe, injects a DLL file into system processes and stays memory resident. This virus was most recently discovered from the wild, that was installed via a 0-day vulnerability detected as Exploit-XMLCoreSrvcs.

Upon execution, W32/Kibik.dr patches the existing copies of Windows Explorer application typically residing at:

  • %Windir%\explorer.exe
  • %Windir%\System32\dllcache\explorer.exe
  • %Windir%\LastGood\explorer.exe

It may also create additional copies of modified explorer.exe at:

  • %Windir%\i386\explorer.exe
  • %Windir%\i386\explorer.ex_ (Cabinet archive)

Patched copies of explorer.exe can be detected as W32/Kibik.a.

Copies of the original explorer.exe is then stored at:

  • %Windir%\eee.tmp
  • %Windir%\System32\dllcache\eee.tmp

As W32/Kibik.dr seeks for available unused segments in the explorer.exe file, there will be no distinction in filesize between the original and modified versions.

It also randomly picks and make a copy of an existing DLL file, and overwrites code at the original entry point with W32/Kibik.dll. This file is then installed:

  • %Windir%\System32\(random).dll

Once explorer.exe is restarted or the system is rebooted, the rogue explorer.exe (W32/Kibik.a) is executed into memory.

Details of W32/Kibik.a and W32/Kibik.dll are available at:

 

 

Symptoms

Symptoms of W32/Kibik are covered in detail at:

 

Method of Infection

This virus is most recently installed in the wild through a malicious website hosting Exploit-XMLCoreSrvcs). A copy of W32/Kibik.dr is downloaded by the exploit which patches local copies of explorer.exe, to become W32/Kibik.a.

W32/Kibik.dr may also be propogated via other means, such as spammed e-mail, or document exploits.

 

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

The W32/Kibik.dr detection covers a virus that overwrites explorer.exe, injects a DLL file into system processes and stays memory resident.

 

Characteristics

Characteristics -

The W32/Kibik.dr detection covers a virus that overwrites explorer.exe, injects a DLL file into system processes and stays memory resident. This virus was most recently discovered from the wild, that was installed via a 0-day vulnerability detected as Exploit-XMLCoreSrvcs.

Upon execution, W32/Kibik.dr patches the existing copies of Windows Explorer application typically residing at:

  • %Windir%\explorer.exe
  • %Windir%\System32\dllcache\explorer.exe
  • %Windir%\LastGood\explorer.exe

It may also create additional copies of modified explorer.exe at:

  • %Windir%\i386\explorer.exe
  • %Windir%\i386\explorer.ex_ (Cabinet archive)

Patched copies of explorer.exe can be detected as W32/Kibik.a.

Copies of the original explorer.exe is then stored at:

  • %Windir%\eee.tmp
  • %Windir%\System32\dllcache\eee.tmp

As W32/Kibik.dr seeks for available unused segments in the explorer.exe file, there will be no distinction in filesize between the original and modified versions.

It also randomly picks and make a copy of an existing DLL file, and overwrites code at the original entry point with W32/Kibik.dll. This file is then installed:

  • %Windir%\System32\(random).dll

Once explorer.exe is restarted or the system is rebooted, the rogue explorer.exe (W32/Kibik.a) is executed into memory.

Details of W32/Kibik.a and W32/Kibik.dll are available at:

 

 

Symptoms

Symptoms -

Symptoms of W32/Kibik are covered in detail at:

 

Method of Infection

Method of Infection -

This virus is most recently installed in the wild through a malicious website hosting Exploit-XMLCoreSrvcs). A copy of W32/Kibik.dr is downloaded by the exploit which patches local copies of explorer.exe, to become W32/Kibik.a.

W32/Kibik.dr may also be propogated via other means, such as spammed e-mail, or document exploits.

 

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A