Win32/Ibashade [Threat Name] go to Threat

Win32/Ibashade.C [Threat Variant Name]

Category worm
Detection created Feb 08, 2017
Detection database version 14904
Aliases Worm:Win32/Drolnux.B (Microsoft)
Short description

Win32/Ibashade.C is a worm that spreads via removable media. Win32/Ibashade.C serves as a backdoor. It can be controlled remotely.

Installation

When executed the worm copies itself in the following locations:

  • %appdata%\­Microsoft\­Search\­Search Helper.exe
  • %temp%\­WER9mso.dir00\­com3.exe
  • %systemdrive%\­Program Files\­Intel GPU\­GfxUI.exe
  • %startup%\­ShareIt Service.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Intel GPU" = "%systemdrive%\­Program Files\­Intel GPU\­GfxUI.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Search Helper" = "%appdata%\­Microsoft\­Search\­Search Helper.exe"

The worm creates the following files:

  • %appdata%\­Microsoft\­persist.dat

The worm executes the following files:

  • %appdata%\­Microsoft\­Search\­Search Helper.exe
  • %temp%\­WER9mso.dir00\­com3.exe
Spreading on removable media

The worm creates the following folders:

  • %removabledrive%\­.RECYCLER\­

The %removabledrive%\.RECYCLER\ folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.


The worm copies itself to the following location:

  • %removabledrive%\­WinRAR.exe
  • %removabledrive%\­.RECYCLER\­package.exe

The worm creates the following file:

  • %removabledrive%\­%lnkfilename%.lnk

The file is a shortcut to a malicious file.


The %lnkfilename% is one of the following strings:

  • 2016
  • 3G
  • 3g++
  • 4G
  • 4G++
  • ActiveSpeed
  • AI Soft
  • AntiVirus
  • C.Girl
  • Camera
  • Computer
  • Dangerous
  • EGY.CoM
  • ELIZA
  • eta 19.12.2016
  • Facebook
  • FileZilla
  • Flash & Media
  • Foxit Reader
  • Fun
  • GOMPlayer
  • HASOOB
  • HEY
  • Icon_Workshop_7.01
  • IDMan_v7.13
  • idman728B8
  • Images
  • imagesss
  • Internet
  • Kaspersky 2016
  • kis15.6.0.463fr
  • K-Lite codec
  • Learn
  • Learn-More
  • Love U
  • me
  • Media Player
  • Memoire
  • Mobile
  • Mobilis
  • Movie Maker
  • Movies
  • MP3
  • Music
  • My Doc
  • My Movies
  • My Secret
  • My Videos
  • MyElahY.CoM
  • MySe9.CoM
  • NEW
  • Norton Internet Security 2016
  • OFFICE2013
  • OFFICE2016
  • Phone
  • Photo
  • Photos
  • PhotoZoom Prov6.3.4
  • PowerArchiver9.16.07
  • Programs
  • Projects
  • recycler
  • Research
  • Sci-Fi
  • Songs
  • Start Here
  • Style_Widows10_v4.01
  • Tux
  • Twilight.2016
  • uTorrent_4.7.7
  • videos
  • Videos
  • Wallpaper
  • WebCopier
  • Why
  • WinIE
  • winrar580
  • ZZZ
Information stealing

The worm collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • logged keystrokes
  • user name
  • computer name
  • information about the operating system and system settings

The following programs are affected:

  • Mozilla Firefox
  • Pale Moon
  • Google Chrome
  • Torch
  • Comodo Dragon
  • Baidu Spark

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (20) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • capture webcam picture
  • capture screenshots
  • upload file list
  • upload files to a remote computer
  • send gathered information

The worm may create the following files:

  • %temp%\­~CMR9H8973LABX9C1C3.TMP
  • %temp%\­~SMR9S8973LABX9C1C3.TMP
  • %temp%\­~QMR9D8973LABX9C1C3.TMP
  • %temp%\­~UMR9X8973LABX9C1C3.TMP
  • %temp%\­WER9mso.dir00\­%variable%

A string with variable content is used instead of %variable% .


The worm may display a fake error message:

  • There was an unexpected error in the program:
  • The filename, directory name or volume label syntax is incorrect.
  • (0x8007007B)
  • Please close the program and try again.

Please enable Javascript to ensure correct displaying of this content and refresh this page.