Gibe worm poses as a Microsoft update

• Tags:
• Mass-mailing Worm,
• Viruses,
• Attachment,
• Update

Robert Vamosi CNet

Published: 07 Mar 2002 12:13 GMT

• 
• 
• 
• 
• 

What appears to be a new security update from Microsoft is actually a clever attempt by a virus writer to spread a worm. Gibe (w32.gibe@mm) is a nondestructive worm written in Visual Basic that attempts to mass-mail itself to everyone in an address book. Fortunately, the infected email is plagued with spelling errors and should be easy to spot. Because this worm is not destructive and only sends email to others, Gibe ranks as a 4/10 on the ZDNet Virus Meter.

What it does
Gibe arrives via email. The subject is "Internet Security Update" and the body of the message appears to be a message from Microsoft (it is not):

Microsoft Customer,

this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities, and is discussed in Microsoft Security Bulletin MS02-005. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run code on your computer.

Description of several well-know vulnerabilities:

- "Incorrect MIME Header Can Cause IE to Execute email Attachment" vulnerability. If a malicious user sends an affected HTML email or hosts an affected email on a Web site, and a user opens the email or visits the Web site, Internet Explorer automatically runs the executable on the user's computer.

- A vulnerability that could allow an unauthorized user to learn the location of cached content on your computer. This could enable the unauthorized user to launch compiled HTML Help (.chm) files that contain shortcuts to executables, thereby enabling the unauthorized user to run the executables on your computer.

- A new variant of the "Frame Domain Verification" vulnerability could enable a malicious Web site operator to open two browser windows, one in the Web site's domain and the other on your local file system, and to pass information from your computer to the Web site.

- CLSID extension vulnerability. Attachments which end with a CLSID file extension do not show the actual full extension of the file when saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are simple, harmless files - such as JPG or WAV files - that do not need to be blocked.

System requirements: Versions of Windows no earlier than Windows 95.

This update applies to:

Versions of Internet Explorer no earlier than 4.01 Versions of MS Outlook no earlier than 8.00 Versions of MS Outlook Express no earlier than 4.01

How to install

Run attached file q216309.exe

How to use

You don't need to do anything after installing this item.

For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below. If you have some questions about this article contact us at rdquest12@microsoft.com

Thank you for using Microsoft products.

With friendly greetings, MS Internet Security Center.

Microsoft is registered trademark of Microsoft Corporation. Windows and Outlook are trademarks of Microsoft Corporation.

The attached file is q216309.exe (122,880 bytes), which appears to be a Microsoft Knowledge Base entry (it is not).

Users of non-Windows systems are not affected by this worm. If a Windows user opens the attached file, Gibe will make the following changes to the Registry:

HKLMSoftwareAVTechSettingsDefault Address = (default address)
HKLMSoftwareAVTechSettingsDefaultServer = (default server)
HKLMSoftwareAVTechSettingsInstalled = ...by Begbie
HKLMSoftwareMicrosoftWindows CurrentVersionRun3dfx Acc = (path to gfxacc.exe)
HKLMSoftwareMicrosoftWindows
CurrentVersionRunLoadDBackup = (path to bctool.exe)

These changes allow Gibe to install a backdoor Trojan horse that becomes active every time the computer is rebooted. Gibe will also create the following files in the Windows directory:

bctool.exe (32,768 bytes) - the mass-mailing component winnetw.exe (20,480 bytes)- email address finding component q216309.exe (122,880 bytes) - a copy of the worm vtnmsccd.dll (122,880 bytes) - a copy of the worm gfxacc.exe (20,480 bytes) - the Trojan horse component

The file gfxacc.exe is the backdoor Trojan horse that could allow malicious users into a PC. Alert users who monitor their systems with a firewall may notice unusual traffic on port 12387 as a result of Gibe.

Prevention
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from the EXE attachment included with Gibe. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in email without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include Gibe.

Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see McAfee, Sophos, Symantec and Trend Micro.

---

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit