Virus Database

StayCool.573

Description StayCool.573

It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. The virus contains the text string:
Louise Broderick my princess Written at Barclays plc Softare Labs Stay Cool
Mickey Athwel

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Gibe.a

Description I-Worm.Gibe.a

Gibe is the multi-component Internet worm-virus spreading via the Internet as an email attachment. The worm itself is a Windows PE EXE file 123Kb in size and written in Visual Basic.
Screen-shot of Gibe's email text:

Infected messages have false "From" and "To"fields:
From: "Microsoft Corporation Security Center"
To: "Microsoft Customer" <'customer@yourdomain.com'>
Subject: Internet Security Update
Reply-To:
Attach: q216309.exe
The message body, the first part of which is shown in the screen-shot above, is made to look like an official Microsoft letter (DayMonthYear represents the date - for example, "9 Mar 2002"):
Microsoft Customer,
this is the latest version of security update, the
"DayMonthYear Cumulative Patch" update which eliminates all
known security vulnerabilities affecting Internet Explorer and
MS Outlook/Express as well as six new vulnerabilities, and is
discussed in Microsoft Security Bulletin MS02-005. Install now to
protect your computer from these vulnerabilities, the most serious of which
could allow an attacker to run code on your computer.
Description of several well-know vulnerabilities:
- "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability.
If a malicious user sends an affected HTML e-mail or hosts an affected
e-mail on a Web site, and a user opens the e-mail or visits the Web site,
Internet Explorer automatically runs the executable on the user's computer.

- A vulnerability that could allow an unauthorized user to learn the location
of cached content on your computer. This could enable the unauthorized
user to launch compiled HTML Help (.chm) files that contain shortcuts to
executables, thereby enabling the unauthorized user to run the executables
on your computer.
- A new variant of the "Frame Domain Verification" vulnerability could enable a malicious Web site operator to open two browser windows, one in the Web site's
domain and the other on your local file system, and to pass information from
your computer to the Web site.
- CLSID extension vulnerability. Attachments which end with a CLSID file extension do not show the actual full extension of the file when saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are simple, harmless files - such as JPG or WAV files - that do not need to be blocked.
System requirements:
Versions of Windows no earlier than Windows 95.
This update applies to:
Versions of Internet Explorer no earlier than 4.01
Versions of MS Outlook no earlier than 8.00
Versions of MS Outlook Express no earlier than 4.01
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below.
http://www.microsoft.com/windows/ie/downloads/critical/default.asp
If you have some questions about this article contact us at rdquest12@microsoft.com
Thank you for using Microsoft products.
With friendly greetings,
MS Internet Security Center.
----------------------------------------
----------------------------------------
Microsoft is registered trademark of Microsoft Corporation.
Windows and Outlook are trademarks of Microsoft Corporation.
The Gibe worm activates only if a user clicks on the attached file. Doing so will cause Give to install itself into the system and run its spreading routine and payload.
Installing - Messages
When a user runs the infected file the worm first checks if the system is already infected by checking for its ID key in the registry.
HKLMSoftwareAVTechSettings
Installed = all by Begbie

The presence of this key in the system means that the system is already infected.
Under an "infected" environment the worm displays the following message and exits:


On systems not yet infected, the worm displays the false message:


Not depending on a user's reply the worm starts its installation process. In case of a "No" response the installation is hidden, in case of a "Yes" response the worm displays the following false installation messages:




If the "Cancel" button is pressed during installation the worm displays more false messages leading the user to think the process has been halted, however Gibe continues infecting the system anyway:




Installing - Components
While installing its files into the system Gibe copies itself into the Windows directory under the names:
q216309.exe vtnmsccd.dll
and into the Windows system directory under the ".dll" name:
vtnmsccd.dll
Three more executable components are dropped into the Windows directory and run:
BcTool.exe WinNetw.exe GfxAcc.exe
Two of these files (BcTool.exe and GfxAcc.exe) are registered in the registry auto-run keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
LoadDBackUp = %WindowsDir%BcTool.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
3Dfx Acc = %WindowsDir%GfxAcc.exe
These components are responsible for searching out victim email addresses and for sending infected emails to these addresses.
Spreading
Gibe uses MS Outlook to send out infected messages.
To get victim email addresses the MS Outlook address book is opened and read. The worm also looks for email addresses in system files using the following extensions: *.htm, *.html, *.asp and *.php
Gibe is also programmed to use two Internet search engines to obtain victim email addresses. It runs the search engines with random search strings, and then scans their logs. The two engines it uses are:

http://email.people.yahoo.com
http://www.switchboard.com

I-Worm.Gigger

Description I-Worm.Gigger

This is a dangerous worm. It replicates using Outlook, Outlook Express and mIRC. The worm is written in JavaScript and Visual Basic Script (VBS). It contains destructive payload routines that are able to format the user's hard disk after reboot, and can delete all files on all available disks.
Installation
While installing into the system, the worm creates several files:
C:Bla.hta
C:B.htm
C:WindowsSamplesWshCharts.js
C:WindowsHelpMmsn_offline.htm

Then the worm finds its "already infected" sign in the registry, and if it doesn't exist, the worm creates it.
The infection presence sign is located in the following registry key:
HKEY_CURRENT_USERSoftware hegraveadusersv2.0
The worm finds all connected network drives and copies itself to them to the following location:
WindowsStart MenuProgramsStartUpMsoe.hta
Spreading via e-mail
The worm uses Outlook and Outlook Express to spread in infected e-mail messages.
Infected message contain the following properties:
Subject: Outlook Express Update
Body: MSNSoftware Co.
Attachment: mmsn_offline.htm

The worm also sends a message that contains the e-mail addresses of its recipients to an e-mail address, which seems to belong to the worm's author.
Spreading via IRC
The worm finds the installation folder of an mIRC client application, and creates there the file name "script.ini". After this, the worm sends itself to each user that joins the same IRC channel where the infected user is.
Filename sent through mIRC: "mmsn_offline.htm"
Payload
The worm adds the following line in the file Autoexec.bat:
ECHO y|format c:
This results in formatting disk C: upon computer restarting.
If the day of the month is the 1st, 5th, 10th, 15th or 20th, the worm deletes all files from all drives.

Home