Need Help!!!! My PC has Win32:Tibs-ADO

[abhimanyu31]

Hi,
Can somebody please help me. My company has a fairly big size LAN system (about 60 PCs). We run Windows 2003 Server with Windows 2000 clients. The antivirus system used for the network is Symantec Corporate Edition. For the past 2 days the clients have been showing a number of pop ups and have been prone to errors and applications crashing. We scanned the machines on a number of occasions with Symantec, however, it failed to detect anything wrong with the machines.

As I use AVAST home edition on my PC at home, I suggested to the Network Administrator to install AVAST professional edition to try and detect the virus/worm. The Symantec antivirus was uninstalled and AVAST professional edition with the 30 day trial period on the server. Upon installation and first scan the antivirus found that the machine is infected with Win32:Tibs-ADO. Over 70 .exe files have been shown to be infected. However, it seems that the AV has no way to clean these files and therefore we have moved these files to the chest.

The machine also seems to have the following infected files:
1) logo1_.exe
2) rundll123.exe
3) richdll.exe

The above mentioned seem to keep appearing even though they are detected and deleted by the AV.

Of the files that have been move to the chest, all of them are .exe file, however our dilemma is that we don't know if these are legitmate files that have been infected or files that have been created by the worm. If these files are legitmate then the applications to which they relate will be effected if we delete them. And if they are created by the worm then we are simply cutting the branches of the tree, while the root is still in place.

Will really appreciate if someone can help us out.

[mauserme]

The first step is to isolate the PCs so the worm can't travel through your LAN.   This may be the sole source of reinfection, or it may come from the WAN side.

Here's some information on what logo1_.exe might be

http://www.symantec.com/security_response/print_writeup.jsp?docid=2005-010711-4222-99

What are the locations of rundll123.exe and richdll.exe?

Of the files that have been move to the chest, all of them are .exe file, however our dilemma is that we don't know if these are legitmate files that have been infected or files that have been created by the worm. If these files are legitmate then the applications to which they relate will be effected if we delete them.

I think the  effect will be the same if they are in the chest since they can't run from that location.  So if your applications still work these are probably worm related but don't be in a hurry to delete them.

[essexboy]

The only data I can get on the last 2 files is in chinese which would tend to suggest they are trojans

on the first I have http://www.viruslist.com/en/viruses/encyclopedia?virusid=69620

The re-appearance would suggest a payload file elsewhere

EDIT a hjt on the infected machine might help

[mauserme]

From VirusBuster regarding Win32.HLLP.Viking.ET

http://www.virusbuster.hu/en/viruslab/descriptions/hllp.viking.et

The virus was packed with AsPack so that not so easy to unpack it. It copies itself to the following locations:
\windows\logo1_.exe
\windows\uninstall\rundl132.exe
It drops the Trojan.Viking.EO Trojan file into the \windows\richdll.dll

Removal instructions
1. It is necessary to close of all Windows application

2. Delete the following files:
\windows\logo1_.exe
\windows\uninstall\rundl132.exe
\windows\richdll.dll

3. Remove the following Registry value:
HKLM\Microsoft\Windows\CurrentVersion\Run\load.

4. Detect and disinfect the infected files with the AntiVirus application.

And similar at F-Secure

http://www.f-secure.com/v-descs/viking_de.shtml


EDIT:  Additional from the F-Secure write up regarding the registry values

The virus creates a startup value for that dropped file in Windows Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
load=%WinDir%\uninstall\rundl132.exe

Where %WinDir% represents the main Windows folder (usualy C:\Windows\).

Viking.DE also adds the following registry entry as a part of its installation:

[HKLM\SOFTWARE\Soft\DownloadWWW]
auto = "1"

Obviously a back up should be made before making any registry changes.  Also, both sites recommend disinfection, not deletion, of the infected application files.

[essexboy]

Nice one mauserme  a little extra info for me Ta

[mauserme]

Thanks essexboy.  Its just part of that "unified effort" thing 

[DFXBB]

Yes, Viking is very 'popular' in china recently, it infects all .exe files in the computer and spread with flashdisk. It add "autorun.inf" and virus program into each disk.