Virus Database

I-Worm.Gibe.a

Description I-Worm.Gibe.a

Gibe is the multi-component Internet worm-virus spreading via the Internet as an email attachment. The worm itself is a Windows PE EXE file 123Kb in size and written in Visual Basic.
Screen-shot of Gibe's email text:

Infected messages have false "From" and "To"fields:
From: "Microsoft Corporation Security Center"
To: "Microsoft Customer" <'customer@yourdomain.com'>
Subject: Internet Security Update
Reply-To:
Attach: q216309.exe
The message body, the first part of which is shown in the screen-shot above, is made to look like an official Microsoft letter (DayMonthYear represents the date - for example, "9 Mar 2002"):
Microsoft Customer,
this is the latest version of security update, the
"DayMonthYear Cumulative Patch" update which eliminates all
known security vulnerabilities affecting Internet Explorer and
MS Outlook/Express as well as six new vulnerabilities, and is
discussed in Microsoft Security Bulletin MS02-005. Install now to
protect your computer from these vulnerabilities, the most serious of which
could allow an attacker to run code on your computer.
Description of several well-know vulnerabilities:
- "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability.
If a malicious user sends an affected HTML e-mail or hosts an affected
e-mail on a Web site, and a user opens the e-mail or visits the Web site,
Internet Explorer automatically runs the executable on the user's computer.

- A vulnerability that could allow an unauthorized user to learn the location
of cached content on your computer. This could enable the unauthorized
user to launch compiled HTML Help (.chm) files that contain shortcuts to
executables, thereby enabling the unauthorized user to run the executables
on your computer.
- A new variant of the "Frame Domain Verification" vulnerability could enable a malicious Web site operator to open two browser windows, one in the Web site's
domain and the other on your local file system, and to pass information from
your computer to the Web site.
- CLSID extension vulnerability. Attachments which end with a CLSID file extension do not show the actual full extension of the file when saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are simple, harmless files - such as JPG or WAV files - that do not need to be blocked.
System requirements:
Versions of Windows no earlier than Windows 95.
This update applies to:
Versions of Internet Explorer no earlier than 4.01
Versions of MS Outlook no earlier than 8.00
Versions of MS Outlook Express no earlier than 4.01
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below.
http://www.microsoft.com/windows/ie/downloads/critical/default.asp
If you have some questions about this article contact us at rdquest12@microsoft.com
Thank you for using Microsoft products.
With friendly greetings,
MS Internet Security Center.
----------------------------------------
----------------------------------------
Microsoft is registered trademark of Microsoft Corporation.
Windows and Outlook are trademarks of Microsoft Corporation.
The Gibe worm activates only if a user clicks on the attached file. Doing so will cause Give to install itself into the system and run its spreading routine and payload.
Installing - Messages
When a user runs the infected file the worm first checks if the system is already infected by checking for its ID key in the registry.
HKLMSoftwareAVTechSettings
Installed = all by Begbie

The presence of this key in the system means that the system is already infected.
Under an "infected" environment the worm displays the following message and exits:


On systems not yet infected, the worm displays the false message:


Not depending on a user's reply the worm starts its installation process. In case of a "No" response the installation is hidden, in case of a "Yes" response the worm displays the following false installation messages:




If the "Cancel" button is pressed during installation the worm displays more false messages leading the user to think the process has been halted, however Gibe continues infecting the system anyway:




Installing - Components
While installing its files into the system Gibe copies itself into the Windows directory under the names:
q216309.exe vtnmsccd.dll
and into the Windows system directory under the ".dll" name:
vtnmsccd.dll
Three more executable components are dropped into the Windows directory and run:
BcTool.exe WinNetw.exe GfxAcc.exe
Two of these files (BcTool.exe and GfxAcc.exe) are registered in the registry auto-run keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
LoadDBackUp = %WindowsDir%BcTool.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
3Dfx Acc = %WindowsDir%GfxAcc.exe
These components are responsible for searching out victim email addresses and for sending infected emails to these addresses.
Spreading
Gibe uses MS Outlook to send out infected messages.
To get victim email addresses the MS Outlook address book is opened and read. The worm also looks for email addresses in system files using the following extensions: *.htm, *.html, *.asp and *.php
Gibe is also programmed to use two Internet search engines to obtain victim email addresses. It runs the search engines with random search strings, and then scans their logs. The two engines it uses are:

http://email.people.yahoo.com
http://www.switchboard.com

Check other viruses! Be aware! Use Antiviral Software

Email-Worm.Win32.Bagle.cc

Description Email-Worm.Win32.Bagle.cc
This Bagle variant is unable to propagate independently, and was mass mailed. Functionally, it is almost identical to Bagle.Bj and some modifications which are detected as Bagle.pac. Infected messages either have an empty message subject and message body, or contain random text, and a randomall

Email-Worm.Win32.Bagle.cl

Description Email-Worm.Win32.Bagle.cl
This version of Bagle is unable to propagate independently. However, all other functionality indicates that it is a member of the Bagle family. This program was mass mailed using spamming technologies. The worm itself is a PE EXE file. The packed file is 36864 bytes in size Installation Onceall

Home