|
-
March 5th, 2002, 10:19 PM
#8
another one in the same vein
I got this from my corporate IT folks today
A new worm -- W32/Gibe@MM -- is circulating via an
e-mail attachment: q216309.exe disguised as a security alert from
Microsoft.
---------------------------------------------------------------------
---------------------------------------------------------------------
Method of infection: Email worm
Attachment name: q216309.exe.
Subject line: Internet Security Update
Message body:
Microsoft Customer,
This is the latest version of security update, the update which eliminates
all known security vulnerabilities affecting Internet Explorer and MS
Outlook/Express as well as six new vulnerabilities, and is discussed in
Microsoft Security Bulletin MS02-005. Install now to protect your computer
from these vulnerabilities, the most serious of which could allow an
attacker to run code on your computer.
----------------------------------------------------------------------
----------------------------------------------------------------------
If you receive this message, DELETE IT IMMEDIATELY! Do NOT
attempt to open it!
Detailed information on the W32/Gibe@mm worm can be found at:
http://www.sophos.com/virusinfo/analyses/w32gibea.html
If you inadvertently opened the message or have difficulties deleting
the e-mail, please immediately contact your local IT support or call
sumdumguy
(oops.. just had to slip one in there  )
(excerpt from the link above)
If q216309.exe is run it will display the message "This will install Microsoft Security Update. Do you wish to continue ? ". It then copies itself to q216309.exe in the Windows folder and vtnmsccd.dll in the Windows system folder. It also drops and executes bctool.exe, winnetw.exe and gfxacc.exe in the Windows folder and creates the file 02_n803.dat in which it stores information about email recipients.
Bctool.exe and winnetw.exe attempt to send out the emails as described above. Gfxacc.exe runs as a background process and opens port 12387, which could allow an intruder to gain remote access and control over the machine.
The worm sets the following registry keys:
HKLM\Software\AVTech\Settings\Default Address = <default address>
HKLM\Software\AVTech\Settings\DefaultServer = <default server>
HKLM\Software\AVTech\Settings\Installed = ...by Begbie
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\3dfx Acc = <path to gfxacc.exe>
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\LoadDBackup = <path to bctool.exe>
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote