Discovered: July 26, 2004
Updated: February 13, 2007 12:25:39 PM
Also Known As: Worm.P2P.Tibick [Kaspersky]
Type: Worm
Systems Affected: Windows


W32.Tibick is a worm that propagates through file-sharing networks. This worm also connects to an IRC channel and listens for messages from the attacker.

Antivirus Protection Dates

  • Initial Rapid Release version July 26, 2004
  • Latest Rapid Release version August 08, 2016 revision 023
  • Initial Daily Certified version July 26, 2004
  • Latest Daily Certified version August 09, 2016 revision 001
  • Initial Weekly Certified release date July 26, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Hiroshi Shinotsuka

Discovered: July 26, 2004
Updated: February 13, 2007 12:25:39 PM
Also Known As: Worm.P2P.Tibick [Kaspersky]
Type: Worm
Systems Affected: Windows


When W32.Tibick executes, it does the following:

  1. Copies itself as %System%\svcnet.exe.

    Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Adds the value:

    "System Restore" = "svcnet.exe"

    to one of these registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.

  3. Creates a folder named %Windir%\msview and copies itself as multiple file names.

    AOL Instant Messenger (AIM).exe
    Ad-aware Pro Crack.exe
    Ad-aware Professional.exe
    Ad-aware.exe
    Adobe Acrobat Reader crack.exe
    Adobe Acrobat Reader.exe
    Adobe Golive v6.0 Keygen.exe
    Adobe Illustrator v10.0 Time Limit Crack.exe
    Adobe ImageReady v1.0 crack.exe
    Adobe PageMaker v7.0 Keygen.exe
    Adobe Photoshop 7 keygen.exe
    Adobe Photoshop all.exe
    Adobe Serial Generator v2.0.exe
    Age Of Mythology - The Titans no cd crack.exe
    Age Of Mythology no cd crack.exe
    Age of Empires II The Age of Kings NO CD crack.exe
    Alias Acclaim crack.exe
    All Macromedia Products Keygen.exe
    All-in-One Secretmaker.exe
    Anti-Trojan 4.0.exe
    Ares Galaxy.exe
    Ares Lite.exe
    Avant Browser.exe
    Backyard Baseball 2003 no cd crack.exe
    Backyard Wrestling 2 - There Goes the Neighborhood Eidos Interactive crack.exe
    Battlefield 1942 no cd crack.exe
    Battlefield Vietnam EA Games crack.exe
    Battlefield Vietnam Multiplayer Online Crack.exe
    Besieger DreamCatcher Interactive crack.exe
    BitComet.exe
    Blinx 2 - Masters of Time & Space Microsoft crack.exe
    Blitzkrieg - Burning Horizon CDV Software GmbH crack.exe
    CCALG - Credit Card Generator.exe
    Call Of Duty no cd crack.exe
    Call of Duty Activision crack.exe
    City of Heroes NCsoft crack.exe
    Civilization III crack.exe
    Classic NES Series - The Legend of Zelda GBA Nintendo crack.exe
    CloneCD 2.x Crack.exe
    CloneCD 3.x Crack.exe
    CloneCD All Version KeyGen.exe
    CloneDVD v1.x crack.exe
    Command & Conquer - Generals Zero Hour EA Games crack.exe
    Command & Conquer - Generals Zero Hour no cd crack.exe
    Command & Conquer - Generals no cd crack.exe
    Counter-Strike Condition Zero Keygen.exe
    Crusader Kings Paradox Entertainment crack.exe
    Cubase Audio XT 3.X crack.exe
    DRIV3R Atari crack.exe
    Dark Age Of Camelot - Trials Of Atlantis no cd crack.exe
    Dark Matter - The Baryon Proj crack.exe
    Deus Ex Invisible War NO CD Crack.exe
    Diablo 2 NO CD crack.exe
    Diablo 2 no cd crack.exe
    DivX Player (with DivX Codec).exe
    DivX Player Crack.exe
    Doom 3 Activision crack.exe
    Doom 3 NO CD Crack.exe
    Dope Wars Crack.exe
    Download Accelerator Plus.exe
    Dr Divx Crack.exe
    Dragon Ball Z - Budokai 3 Atari crack.exe
    Dragon Ball Z - Supersonic Warriors GBA Atari crack.exe
    Dragon Warrior VIII Square Enix crack.exe
    Dungeon Lords DreamCatcher Interactive crack.exe
    Dungeon Siege no cd crack.exe
    ESPN NFL 2K5 Sega crack.exe
    Enter the Matrix Atari crack.exe
    F.E.A.R. VU Games crack.exe
    Fable Microsoft crack.exe
    Far Cry Ubisoft crack.exe
    Final Fantasy VII - Advent Children PSP Square Enix crack.exe
    Final Fantasy XI - Square Enix USA no cd crack.exe
    Final Fantasy XII Square Enix crack.exe
    Fire Emblem - Seima no Kouseki GBA Nintendo crack.exe
    FlashFXP 2 RC2 Crack.exe
    FlashFXP All Version KeyGen.exe
    FlashFXP v1.4.1 Crack.exe
    FlashFXP v1.4.3 Crack.exe
    FlashFXP v2.0 Crack.exe
    FlashFXP v2.1 crack.exe
    FlashFXP v2.2 crack.exe
    FlashGet.exe
    Forgotten Realms - Demon Stone Atari crack.exe
    Forgotten Realms - Demon Stone crack.exe
    Freedom Force no cd crack.exe
    Front Mission 4 Square Enix crack.exe
    FrontPage XP 2002 Crack.exe
    Full Spectrum Warrior THQ crack.exe
    GTA crack.exe
    Geist GC Nintendo crack.exe
    Goblin Commander - Unleash the Horde Jaleco Entertainment crack.exe
    Gran Turismo 4 SCEA crack.exe
    Grand Theft Auto - San Andreas Rockstar Games crack.exe
    Grand Theft Auto 3 no cd crack.exe
    Grand Theft Auto III no cd crack.exe
    Grand Theft Auto San Andreas NO CD crack.exe
    Grand Theft Auto Vice City NO CD crack.exe
    Grokster.exe
    Gunbound Trainer.exe
    Half-Life 2 Keygen.exe
    Half-Life 2 NO CD Crack.exe
    Half-Life 2 VU Games crack.exe
    Halo - Combat Evolved - Microsoft no cd crack.exe
    Halo 2 crack.exe
    Harry Potter and The Sorcerers Stone no cd crack.exe
    Harry Potter and the Prisoner of Azkaban Adventure EA Games crack.exe
    Harry Potter and the Sorcerers Stone no cd crack.exe
    Heroes of Might and Magic IV no cd crack.exe
    Hidden and Dangerous 2 NO CD Crack.exe
    HijackThis.exe
    ICQ 4.exe
    ICQ Pro 2003b.exe
    Icewind Dale 2 no cd crack.exe
    Jedi Academy NO CD Crack.exe
    JetAudio Basic.exe
    Joint Operations - Typhoon Rising NovaLogic crack.exe
    Juiced Acclaim crack.exe
    Kazaa Download Accelerator Pro.exe
    Kingdom Hearts II Square Enix crack.exe
    Knights Apprentice Memoricks Adventures Games crack.exe
    LOTR NO CD Crack.exe
    LimeWire (International).exe
    LimeWire server scanner.exe
    LimeWire.exe
    MS Office XP Activation Crack.exe
    MS Zoo Tycoon no cd crack.exe
    MSN Messenger (Windows XP).exe
    MSN Toolbar advert remover.exe
    MSN Toolbar.exe
    MSN advert remover.exe
    MVP Baseball 2004 EA crack.exe
    Macromedia ColdFusion MX crack.exe
    Macromedia Contribute v2.0 crack.exe
    Macromedia Director 8 Crack.exe
    Macromedia Dreamweaver 4.0 Patch.exe
    Macromedia Dreamweaver MX v6.0 crack.exe
    Macromedia Dreamweaver UltraDev 4.0 Patch.exe
    Macromedia Fireworks 4.0 Patch.exe
    Macromedia Flash 5 Crack.exe
    Macromedia Flash All Versions keygen.exe
    Macromedia Flash MX v6.0 crack.exe
    Macromedia Flash SWF-Unprotect v2.0.exe
    Macromedia FreeHand v10 Loader.exe
    Madden NFL 2003 no cd crack.exe
    Madden NFL 2005 EA crack.exe
    Mafia no cd crack.exe
    Malice Mud Duck Productions crack.exe
    Mario Pinball Land GBA Puzzle Nintendo crack.exe
    Mario Tennis GC Nintendo crack.exe
    Matrix Screensaver.exe
    Max Payne 2 Fall Of Max Payne no cd crack.exe
    Max Payne 2 NO CD Crack.exe
    Max Payne 2 The Fall of Max Payne NO CD crack.exe
    MaxPayne 2 The Fall Of Max Payne Crack.exe
    McFarlanes Evil Prophecy Konami crack.exe
    Medal Of Honor - Allied Assault BreakThrough no cd crack.exe
    Medal Of Honor - Allied Assault no cd crack.exe
    Medal of Honor Pacific Assault EA Games crack.exe
    Medal of Honor- Allied Assault no cd crack.exe
    Medieval - Total War no cd crack.exe
    Mega Man Anniversary Collection GC Capcom crack.exe
    Metal Gear Acid PSP Konami crack.exe
    Metal Gear Solid 3 - Snake Eater Konami crack.exe
    Microsoft Flight Simulator 2004 - A Century Of Flight no cd crack.exe
    Microsoft Office 2000 Regmaker.exe
    Microsoft Office XP Activation Crack.exe
    Microsoft Office XP Activation Killer.exe
    Microsoft Office XP Professional Crack.exe
    Microsoft Office XP Professional Serial.exe
    Microsoft Office XP Universal Activator v1.0.exe
    Microsoft Windows Media Player.exe
    Midnight Club 3 - DUB Edition Rockstar Games crack.exe
    Morpheus.exe
    Mozilla Firefox.exe
    MyIE2.exe
    NBA Live 2003 crack.exe
    NBA Live 2004 crack.exe
    NCAA Football 2005 EA crack.exe
    Need For Speed 5 - no cd.exe
    Need for Speed Hot Pursuit 2 CD KeyGenerator.exe
    Need for Speed Underground 2 NO CD crack.exe
    Need for Speed Underground 2 crack.exe
    Need for Speed Underground Crack.exe
    Need for Speed Underground NO CD crack.exe
    Need for Speed4 - NOCD.exe
    Need for speed underground - nocd.exe
    NeedforspeedUnderground-nocd.exe
    Nero 6 Ultra Edition Crack.exe
    Nero 6 Ultra Edition KeyGen.exe
    Nero 6 Ultra Edition.exe
    Nero Burning ROM v6.x crack.exe
    NetPumper Crack.exe
    NetPumper.exe
    Ninja Gaiden Tecmo crack.exe
    Norton AntiVirus 2004 crack.exe
    Onimusha 3 - Demon Siege Adventure Capcom crack.exe
    Psi-Ops - The Mindgate Conspiracy Midway crack.exe
    Purge Jihad Freeform Interactive LLC crack.exe
    Quake 3 - The Arena NO CD Crack.exe
    QuickTime.exe
    RYL crack.exe
    RealPlayer Crack.exe
    RealPlayer crack (keygen).exe
    RealPlayer.exe
    Red Dead Revolver Rockstar Games crack.exe
    Registry Mechanic Crack.exe
    Registry Mechanic.exe
    Resident Evil 4 GC Adventure Capcom crack.exe
    Rise of Nations - Thrones & Patriots Microsoft crack.exe
    RoboForm crack.exe
    RoboForm.exe
    Roller Coaster Tycoon no cd crack.exe
    RollerCoaster Tycoon NO CD Crack (Including Attractions Pack).exe
    Second Life Linden Lab crack.exe
    Shadow Ops - Red Mercury Atari crack.exe
    ShellShock - Nam 67 Eidos Interactive crack.exe
    Shockwave Player.exe
    Silent Storm - Sentinels _No Company crack.exe
    Sim City 4 - Rush Hour no cd crack.exe
    Sim City 4 Deluxe no cd crack.exe
    Sim Theme Park World no cd crack.exe
    Singles - Flirt Up Your Life Eidos Interactive crack.exe
    Snood Crack.exe
    Snood crack.exe
    Snood.exe
    Snowblind Eidos Interactive crack.exe
    SolSuite 2004 - Solitaire Card Games Suite Crack.exe
    SolSuite 2004 - Solitaire Card Games Suite crack.exe
    SolSuite 2004 - Solitaire Card Games Suite.exe
    Soldier of Fortune II- Double Helix no cd crack.exe
    Sonic the Hedgehog 3 crack.exe
    Spider-Man 2 Activision crack.exe
    Spider-Man 2 GC Activision crack.exe
    Sponge Bob Square Pants - Operation Krabby Patty no cd crack.exe
    SpyHunter Crack.exe
    SpyHunter.exe
    Spybot - Search & Destroy.exe
    Spyware Doctor Crack.exe
    Spyware Doctor.exe
    SpywareBlaster.exe
    Star Wars - Jedi Knight - Jedi Academy no cd crack.exe
    Star Wars - Knights of the Old Republic LucasArts crack.exe
    Star Wars Galactic Battlegrounds- Clone Campaigns no cd crack.exe
    Star Wars Jedi Knight II - Jedi Outcast no cd crack.exe
    Star Wars Jedi Knight II- Jedi Outcast no cd crack.exe
    Star Wars Knights of the Old Republic II - The Sith Lords LucasArts crack.exe
    Starcraft - Battlechest no cd crack.exe
    The Chronicles of Riddick - Escape From Butcher Bay VU Games crack.exe
    The Elder Scrolls III - Morrowind Game of the Year Edition Bethesda Softworks crack.exe
    The Legend of Zelda (working title) GC Nintendo crack.exe
    The Legend of Zelda - Four Swords Adventures GC Nintendo crack.exe
    The Legend of Zelda - The Minish Cap GBA Nintendo crack.exe
    The Lord of the Rings The Battle for Middle-earth EA Games crack.exe
    The Lord of the Rings The Return of The King crack.exe
    The Sims - Hot Date Expansion Pack no cd crack.exe
    The Sims - Makin Magic Expansion Pack no cd crack.exe
    The Sims - Superstar Expansion Pack no cd crack.exe
    The Sims - Unleashed Expansion Pack no cd crack.exe
    The Sims - Vacation Expansion Pack no cd crack.exe
    The Sims 2 crack.exe
    The Sims Deluxe no cd crack.exe
    The Sims Double Deluxe no cd crack.exe
    The Sims no cd crack.exe
    The Sims- Vacation no cd crack.exe
    The Suffering Encore Software Inc. crack.exe
    The Suffering Midway crack.exe
    Thief - Deadly Shadows Eidos Interactive crack.exe
    Tiger Woods PGA Tour 2004 crack.exe
    Tom Clancy's Splinter Cell Pandora Tomorrow crack.exe
    Tom Clancys Ghost Recon - Desert Siege no cd crack.exe
    Tom Clancys Splinter Cell Pandora Tomorrow Ubisoft crack.exe
    Tom Clancys Splinter Cell Ubisoft crack.exe
    Tony Hawks Underground crack.exe
    Trillian crasher.exe
    Trillian.exe
    Unreal Tournament 2003 no cd crack.exe
    Unreal Tournament 2004 Atari crack.exe
    Unreal Tournament 2004 Crack.exe
    Unreal Tournament 2004 NO CD crack.exe
    Unreal Tournament 2004 crack (keygen).exe
    Vampire - The Masquerade - Bloodlines Activision crack.exe
    VirtualLab Data Recovery crack.exe
    VirtualLab Data Recovery.exe
    Virtuosa Phoenix Edition Crack.exe
    WWE Day of Reckoning GC THQ crack.exe
    WWE SmackDown! vs. Raw THQ crack.exe
    Warcraft III - Reign Of Chaos no cd crack.exe
    Warez P2P.exe
    Webroot Spy Sweeper Crack.exe
    Webroot Spy Sweeper.exe
    WinMX.exe
    WinRAR 3.x Crack.exe
    WinRAR All KeyGen.exe
    WinRAR crack (keygen).exe
    WinRAR.exe
    WinZIP v9.0 Keygen.exe
    WinZip 9.x Crack.exe
    WinZip All KeyGen.exe
    WinZip All Versions keygen.exe
    WinZip Self-Extractor v2.2 Patch.exe
    WinZip Self-Extractor v2.2 keygen.exe
    WinZip v8.0 Keygen.exe
    WinZip v9.0 Registration.exe
    WinZip.exe
    Winace 2.x Crack.exe
    Winamp Full.exe
    Windows XP Activation Crack.exe
    Windows XP Professional crack.exe
    Windows XP SP2 KeyGen.exe
    Windows XP home edition Activation.exe
    Winzip keygen.exe
    World of Warcraft Blizzard Entertainment crack.exe
    Worms Armageddon NO CD crack.exe
    XBOX X-Fer Ripper and Transfer.exe
    Yahoo Messenger.exe
    Yoshinoya Success crack.exe
    ZeroSpyware Lite.exe
    ZoneAlarm crack (keygen).exe
    ZoneAlarm.exe
    Zoo Tycoon - Complete Collection no cd crack.exe
    Zoo Tycoon no cd crack.exe
    Zoo Tycoon- Dinosaur Digs no cd crack.exe
    dBpowerAmp Music Converter.exe
    eMule.exe
    iMesh.exe
    mIRC 6.X crack.exe
    mirc 6.1x reg entries.exe
    windows server 2003 crack.exe

    Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  4. Modifies the settings of various file-sharing applications, if present, to use the newly created folder as the default sharing folder. This applies to the following applications:
    • Kazaa
    • iMesh
    • Morpheus
    • wareo
    • eMule
    • DC++

  5. The worm may also update itself when a new version is available.


Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Hiroshi Shinotsuka

Discovered: July 26, 2004
Updated: February 13, 2007 12:25:39 PM
Also Known As: Worm.P2P.Tibick [Kaspersky]
Type: Worm
Systems Affected: Windows


The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan and delete all the files detected as W32.Tibick.
  4. Delete the values that were added to the registry.
For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder ," Article ID: Q263455.

2. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
  • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

    The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. To scan for and delete the infected files
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected as infected with W32.Tibick, click Delete.


    Note:
    If your Symantec antivirus product reports that it cannot delete an infected file, Windows may be using the file. To fix this, run the scan in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode." Once you have restarted in Safe mode, run the scan again.


    (After the files are deleted, you can leave the computer in Safe mode and proceed with section 4. When that is done, restart the computer in Normal mode.)

4. To delete the values from the registry

Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start > Run.
  2. Type regedit

    Then click OK.

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the value:

    "System Restore" = "svcnet.exe"

  5. Navigate to the key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

  6. In the right pane, delete the value:

    "System Restore" = "svcnet.exe"

  7. Exit the Registry Editor.


Writeup By: Hiroshi Shinotsuka