Virus Alert! - Gibe
Results 1 to 4 of 4

Thread: Virus Alert! - Gibe

  1. #1
    Senior Member
    Join Date
    Aug 2001
    Posts
    410

    Exclamation Virus Alert! - Gibe

    This virus has been out since March 6th 2002. But I felt it was neccessary to post it here.
    -------
    NAME:
    Gibe

    ALIAS:
    I-Worm.Gibe, W32,Gibe@mm, W32/ Gibe.A@mm

    Gibe is a mass-mailing worm written in Visual Basic. It disguises itself as a Microsoft security update. The worm usually arrives as an attachment named Q216309.exe to the following message:



    From: Microsoft Corporation Security Center
    mailto:rdquest12@microsoft.com]
    To: Microsoft Customer
    Subject: Internet Security Update
    Attachment: q216309.exe




    Microsoft Customer,




    this is the latest version of security update, the update which
    eliminates all known security vulnerabilities affecting Internet
    Explorer and MS Outlook/Express as well as six new
    vulnerabilities, and is discussed in Microsoft Security Bulletin
    MS02-005. Install now to protect your computer from these
    vulnerabilities, the most serious of which could allow an
    attacker to run code on your computer.





    Description of several well-know vulnerabilities:




    - "Incorrect MIME Header Can Cause IE to Execute E-mail
    Attachment" vulnerability. If a malicious user sends an affected
    HTML e-mail or hosts an affected e-mail on a Web site, and a
    user opens the e-mail or visits the Web site, Internet Explorer
    automatically runs the executable on the user's computer.




    - A vulnerability that could allow an unauthorized user to learn
    the location of cached content on your computer. This could
    enable the unauthorized user to launch compiled HTML Help (.chm)
    files that contain shortcuts to executables, thereby enabling
    the unauthorized user to run the executables on your computer.




    - A new variant of the "Frame Domain Verification" vulnerability
    could enable a malicious Web site operator to open two browser
    windows, one in the Web site's domain and the other on your
    local file system, and to pass information from your computer to
    the Web site.




    - CLSID extension vulnerability. Attachments which end with a
    CLSID file extension do not show the actual full extension of
    the file when saved and viewed with Windows Explorer. This
    allows dangerous file types to look as though they are simple,
    harmless files - such as JPG or WAV files - that do not need to
    be blocked.





    System requirements:
    Versions of Windows no earlier than Windows 95.




    This update applies to:
    Versions of Internet Explorer no earlier than 4.01
    Versions of MS Outlook no earlier than 8.00
    Versions of MS Outlook Express no earlier than 4.01




    How to install
    Run attached file q216309.exe




    How to use
    You don't need to do anything after installing this item.





    For more information about these issues, read Microsoft Security
    Bulletin MS02-005, or visit link below.
    http://www.microsoft.com/windows/ie/...al/default.asp
    If you have some questions about this article contact us at
    rdquest12@microsoft.com




    Thank you for using Microsoft products.




    With friendly greetings,
    MS Internet Security Center.
    ----------------------------------------
    ----------------------------------------
    Microsoft is registered trademark of Microsoft Corporation.
    Windows and Outlook are trademarks of Microsoft Corporation.


    It should be noted that due to bugs in worm's code this message might not be fully visible when it arrives on a recepient's system.

    The body of the message describes a Microsoft vulnerability and tries to make the recipient click on the attached file.

    This worm's file is 122880 bytes long and it is a dropper for several worm components. Being run, the worm's dropper outputs a dialog box asking a user if he wants to install a security update.



    If a user clicks 'Yes', the worm shows the unpacking dialog with progress bar and in the end opens a messagebox informing that the update has been installed.



    If a user clicks 'No' the worm installs itself too, but doesn't show any dialog or messageboxes.

    The worm sets an infection marker so if it is run on an already infected system, then it shows the following message:



    The following entry in the Registry is used as infection marker:



    [HKEY_LOCAL_MACHINE\Software\AVTech\Settings]
    "Installed" = "... by Begbie"


    When run, the worm drops several files to a system:



    \%WinDir%\Q216309.exe- a copy of a dropper
    \%WinDir%\BcTool.exe- the mass-mailing component
    \%WinDir%\WinNetw.exe- e-mail address searching component
    \%WinDir%\GfxAcc.exe- backdoor component
    \%WinSysDir%\Vtnmsccd.dll- a copy of a dropper
    \%WinSysDir%\MSWinsck.ocx- standard Winsock library


    where \%WinDir%\ is Windows root directory and \%WinSysDir%\ is Windows System directory.

    The e-mail address searching component also creates a file with the name 02_N803.dat in Windows directory and stores all found e-mail addresses there. This file is then loaded by the main mass-mailing component and the worm sends itself to all found e- mail addresses.

    The worm adds startup strings for its mass-mailing and backdoor components to the Registry. The following keys are created:



    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "3DfxAcc" = "\%WinDir%\GfxAcc.exe"
    "LoadDBackUp" = "\%WinDir%\BcTool.exe"


    where \%WinDir%\ is Windows root directory. This way both components are started during every Windows session.

    To get rid of the worm it's enough to delete all its components from an infected system. If some components are locked while Windows is active, they have to be deleted from pure DOS (in case of Windows 9x system) or renamed with a different extension (EXA for example) with immediate system restart (in case of NT-based system). After restart the renamed components can be deleted.

    http://www.f-secure.com/v-descs/gibe.shtml

  2. #2
    Senior Member cwk9's Avatar
    Join Date
    Feb 2002
    Posts
    1,211
    So many viruses prey on MS Outlook that I've stopped using it.
    Its not software piracy. Iím just making multiple off site backups.

  3. #3
    I love virus alerts at AO. It reminds me of when we use to have such things on the home page.....Ahhhh, the good old days....

  4. #4
    Senior Member
    Join Date
    Aug 2001
    Posts
    110
    We really need virus alerts
    Listen closely to your enemies. They tell you your faults.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •