Content

W32/Kibik.b

Type
Virus
SubType
Win32
Discovery Date
12/26/2007
Length
410,112 bytes
Minimum DAT
5193 (12/26/2007)
Updated DAT
5193 (12/26/2007)
Minimum Engine
5.1.00
Description Added
12/26/2007
Description Modified
12/27/2007 9:53 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Kibik.b is a paraistic virus which will install a backdoor proxy.

Parasitic code is injected into %SYSTEMDIR%\Winlogon.exe but the original file size is preserved. The virus will save the original file as %SYSTEMDIR%\Winlogon.bak. The virus body is injected into some null space in the Winlogon.exe file. The original Entry Point of the executable is then modified to point to this virus code.

The following files are also created by the virus:

  • %SYSTEMDIR%\FaxMessage.dll
  • %SYSTEMDIR%\Msip32.dll

On every reboot, the virus code in the modified Winlogon.exe will load the above DLLs which contain the backdoor proxy and attempt to connect to the following URL with the affected machines's MAC address:

  • http://swf1.flashxyx.com/[removed].aspx?mac=[MAC ADDRESS]

(where %SYSTEMDIR% is the Windows system directory e.g. C:\Windows\system32)

At the time of writing, the above-mentioned URL is not accessible.

Symptoms

Presence of previously mentioned files.
Presence of unexpected network connection to previously mentioned URL.

Method of Infection

This virus is infected through W32/Kibik.dr which was last found to have been installed via web exploits hosted on the Internet.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Kibik.b is a paraistic virus which will install a backdoor proxy.

Characteristics

Characteristics -

W32/Kibik.b is a paraistic virus which will install a backdoor proxy.

Parasitic code is injected into %SYSTEMDIR%\Winlogon.exe but the original file size is preserved. The virus will save the original file as %SYSTEMDIR%\Winlogon.bak. The virus body is injected into some null space in the Winlogon.exe file. The original Entry Point of the executable is then modified to point to this virus code.

The following files are also created by the virus:

  • %SYSTEMDIR%\FaxMessage.dll
  • %SYSTEMDIR%\Msip32.dll

On every reboot, the virus code in the modified Winlogon.exe will load the above DLLs which contain the backdoor proxy and attempt to connect to the following URL with the affected machines's MAC address:

  • http://swf1.flashxyx.com/[removed].aspx?mac=[MAC ADDRESS]

(where %SYSTEMDIR% is the Windows system directory e.g. C:\Windows\system32)

At the time of writing, the above-mentioned URL is not accessible.

Symptoms

Symptoms -

Presence of previously mentioned files.
Presence of unexpected network connection to previously mentioned URL.

Method of Infection

Method of Infection -

This virus is infected through W32/Kibik.dr which was last found to have been installed via web exploits hosted on the Internet.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A