W32/Tdibd-B

Please follow the instructions for disinfecting PE executables.

W32/Tdibd-B is a worm for the Windows platform with backdoor Trojan functionality.

W32/Tdibd-B includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Tdibd-B copies itself to <System>\_tdiserv_\setup.exe and creates some of the following files:

<System>\_tdiserv_\autorun.inf
<System>\_tdiserv_\Config.dat
<System>\_tdiserv_\Guid.txt
<System>\_tdiserv_\kill
<System>\_tdiserv_\tdi95dev.vxd
<System>\_tdiserv_\TdiUpdate.sys
<System>\_tdiserv_\_tdicli_.exe

The file TdiUpdate.sys is detected as Troj/RKProc-Fam. The files _tdicli_.exe and tdi95dev.vxd are detected as W32/Tdibd-B. The other files are not malicious and may be deleted.

W32/Tdibd-B sets the following registry entry to run _tdicli_.exe on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
_tdiserv_
<System>\_tdiserv_\_tdicli_.exe

W32/Tdibd-B may register the file TdiUpdate.sys as a service with a display name of "TdiHook Update Driver" and a service name of "_tdiserv_HOOK" with registry entries under:

HKLM\SYSTEM\CurrentControlSet\Services\_tdiserv_HOOK

W32/Tdibd-B uses the files TdiUpdate.sys and tdi95dev.vxd to provide stealthing, attempting to hide its registry entries, processes and files from the operating system.

W32/Tdibd-B will spread by creating a folder called ms.config on disk drives connected to the infected computer. The worm will then copy setup.exe to this new folder, and autorun.inf to the root of the drive in an attempt to run setup.exe automatically.

W32/Tdibd-B may download and execute some of the following files:

<System>\_tdiserv_\Ma<random characters>.exe
<System>\_tdiserv_\Master.exe
<System>\_tdiserv_\packetcab.exe
<System>\_tdiserv_\_tdicli_m.exe