1. /
  2. Security Response/
  3. Backdoor.Nibu.D

Backdoor.Nibu.D

Risk Level 1: Very Low

Discovered:
April 6, 2004
Updated:
February 13, 2007 12:21:04 PM
Also Known As:
Bloodhound.Exploit.6, W32/Dumaru.w.gen [McAfee], Exploit-MhtRedir [McAfee]
Type:
Trojan Horse
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Backdoor.Nibu.D is a Trojan horse that attempts to steal passwords and bank account information.



Backdooor.Nibu.D could have originally been emailed containing the text below. This email attempts to exploit a vulnerability in Internet Explorer that allows for arbitrary code execution.

Definitions released prior to April 6, 2004 detect these email messages as Bloodhound.Exploit.6.


Subject: Receipt of Payment

Dear friend,
 
Thank you for your purchase!
This message is to inform you that your order has been received
and will be processed shortly.  
 
Your account is being processed for $79.85, for a 3 month term.  
You will receive an account setup confirmation within the next
24 hours with instructions on how to access your account.  
If you have any questions regarding this invoice,
please feel free to contact us at <link blocked>.
We appreciate your business and look forward to a great relationship!
 
Thank You,
 
The Hashshanklin Team
 
 
ORDER SUMMARY
-------------
 
 
Web Hosting............. $29.85
Setup................... $30.00
 
Domain Registration..... $20.00
Sales Date.............. 04/04/2004
Domain.................. sexigerl.com
 
Total Price............. $79.85
Card Type............... Visa


Another variation of this email refers to "The Tekriter.com Team." It does not use the Bloodhound.Exploit.6 exploit, but clicking the link in the email causes the Trojan to be installed as follows:
  • The link points to a Web site with an embedded object tag, containing a link to 2.php.
  • 2.php is a .html file containing VBScript commands to drop and execute the file, rtq.vbs.
  • Rtq.vbs uses the ADODB stream objects vulnerability to download and execute a file titled ukam.gif. (This file is an executable, not a .gif image.) It is saved as svchostss.exe.
  • Svchostss.exe downloads and installs Backdoor.Nibu.D.


Antivirus Protection Dates

  • Initial Rapid Release version April 6, 2004
  • Latest Rapid Release version September 13, 2012 revision 037
  • Initial Daily Certified version April 6, 2004
  • Latest Daily Certified version September 14, 2012 revision 002
  • Initial Weekly Certified release date April 6, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 50 - 999
  • Number of Sites: More than 10
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: Low
Writeup By: Scott Gettis

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver