1. Symantec/
  2. Security Response/
  3. Backdoor.Nibu.D


Risk Level 1: Very Low

April 6, 2004
February 13, 2007 12:21:04 PM
Also Known As:
Bloodhound.Exploit.6, W32/Dumaru.w.gen [McAfee], Exploit-MhtRedir [McAfee]
Trojan Horse
Systems Affected:

Backdoor.Nibu.D is a Trojan horse that attempts to steal passwords and bank account information.

Backdooor.Nibu.D could have originally been emailed containing the text below. This email attempts to exploit a vulnerability in Internet Explorer that allows for arbitrary code execution.

Definitions released prior to April 6, 2004 detect these email messages as Bloodhound.Exploit.6.

Subject: Receipt of Payment

Dear friend,
Thank you for your purchase!
This message is to inform you that your order has been received
and will be processed shortly.  
Your account is being processed for $79.85, for a 3 month term.  
You will receive an account setup confirmation within the next
24 hours with instructions on how to access your account.  
If you have any questions regarding this invoice,
please feel free to contact us at <link blocked>.
We appreciate your business and look forward to a great relationship!
Thank You,
The Hashshanklin Team
Web Hosting............. $29.85
Setup................... $30.00
Domain Registration..... $20.00
Sales Date.............. 04/04/2004
Domain.................. sexigerl.com
Total Price............. $79.85
Card Type............... Visa

Another variation of this email refers to "The Tekriter.com Team." It does not use the Bloodhound.Exploit.6 exploit, but clicking the link in the email causes the Trojan to be installed as follows:
  • The link points to a Web site with an embedded object tag, containing a link to 2.php.
  • 2.php is a .html file containing VBScript commands to drop and execute the file, rtq.vbs.
  • Rtq.vbs uses the ADODB stream objects vulnerability to download and execute a file titled ukam.gif. (This file is an executable, not a .gif image.) It is saved as svchostss.exe.
  • Svchostss.exe downloads and installs Backdoor.Nibu.D.

Antivirus Protection Dates

  • Initial Rapid Release version April 6, 2004
  • Latest Rapid Release version March 23, 2017 revision 037
  • Initial Daily Certified version April 6, 2004
  • Latest Daily Certified version March 23, 2017 revision 041
  • Initial Weekly Certified release date April 6, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Scott Gettis

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube