Worm/Gibe.B - Worm

Siehe auch

Vollständig

Alias:	Win32.Gibe.B@mm, WORM_GIBE.B
Type:	Worm
Size:	155,648 bytes
Origin:	unknown
Date:	02-26-2003
Damage:
VDF Version:
Danger:	Low
Distribution:	Low

General DescriptionWorm/Gibe.B is a mass mailer that disguises itself as Microsoft Internet Update. It spreads itself by email, over local network, over mIRC and P2P network KaZaA.

Symptoms- The files and registry entries mentioned below.
- Disguised as Microsoft Internet Update (see Technical Details).

DistributionThe worm has its own SMTP engine and sends itself to all email addresses it finds on the infected computer. It also spreads over P2P network KaZaA and network drives from the infected computer.

Technical DetailsWhen activated, Worm/Gibe.B verifies if the following registry is available:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\
InternetSettings\Messenger Setup]
"Coded"="... by Begbie"

If so, the computer is infected and the routine ends with the following message: "This update does not need to be installed on this system."

If the computer is not yet infected, a false "License" window appears (Microsoft License Agreement). Whether the user will choose "Yes" or "No", Worm/Gibe.B copies itself in the system as "Gibe.dll", a random file name (P280490.exe for example) and the following files:

* MSBugAdv.exe (email sending routine)
* DX3DRndr.exe (email sending routine)
* MailViews.db (for the collected email addresses)
* WMSysDx.bin (contains a list of the RemoteServer)

Additional copies will be made, in the temporary Windows folder:

IEPatch.exe, KaZaA upload.exe, Porn.exe, Sex.exe, XboX Emulator.exe, PS2 Emulator.exe, XP update.exe, XXX Video.exe, Sick Joke.exe, Free XXX Pictures.exe, My naked sister.exe, Hallucinogenic.exe, Screensaver.exe, Cooking with Cannabis.exe, Magic Mushrooms Growing.exe I-Worm_Gibe Cleaner.exe

Worm/Gibe.B verifies if there is a shared folder of P2P program KaZaA available and makes a folder in the temporary Windows directory with a random name. There it copies one of the files above and activates the file sharing from KaZaA through a special registry key, if it is deactivated.

Anyway, in all the mapped network drives, where a "Windows", "WinMe", "Win98" and "Win95" can be found, the worm will make a file named WebLoader.exe. If the Chat Program mIRC is installed, Worm/Gibe.B will make the file SCRIPT.INI. Using this, the worm is able to send itself to all the users of the same IRC-channel.

Worm/Gibe.B makes the following registry entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"DxLoad"="C:\Windows\DX3DRndr.exe"

HKEY_CURRENT_USER\Software\Kazaa\LocalContent
"Dir99"="012345:C:\\WINDOWS\\TEMP\\<%random folder name%>\\<%random file
name%>

and

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Internet Settings\Messenger Setup
"Coded"="... by Begbie"
"Server"="Not found"
"Email Address"="Not found"
"Disp Name"="Microsoft Web Automat"
"LookName"="<%random file name%>"
"Stock Fall In"=dword:00000001

The file DX3DRndr.exe is email compatible. It looks in the inserted file MailViews.db and for Windows Address Book for email addresses to send itself to. Such an email can have the following components:

Subject: (composed of one word from each line)

1.: RE: , FW: or FWD:
2.: Check , Check out , Try , Prove , Look at , Taste ,
Take a look at or Watch
3.: these , that , this or the
4.: correction , update , security , patch or pack
5.: from , comes from , which came from or from the
6.: M$ Corporation , Microsoft or M+ACQ-Corporation

For example:

Fw: Check this patch from Microsoft
Body:
Microsoft Customer

this is the latest version of security update, the "February 2003, Cumulative Patch" update which eliminates all known security vulnerabilities affecting Internet Explorer, Outlook and Outlook Express as well as five newly discovered vulnerabilities. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run executable on your system. This update includes the functionality of all previously released patches.

System requirements:
Win 9x/Me/2000/NT/XP

This update applies to:
Microsoft Internet Explorer, version 4.01 and later Microsoft Outlook, version 8.00 and later Microsoft Outlook Express, version 4.01 and later

Recommendation:
Customers should install the patch at the earliest opportunity.

How to install:
Run attached file. Click Yes on displayed dialog box.

How to use:
You don't need to do anything after installing this item.

Microsoft Technical Support is available at
http://support.microsoft.com/

For security-related information about Microsoft products, please visit the Microsoft
Security Advisor web site at:
http://www.microsoft.com/security

Contact us at
http://www.microsoft.com/isapi/goregwiz.asp?target=/contactus/contactus.asp

Please do not reply to this message. It was sent from an unmonitored e-mail address and we are unable to respond to any replies.

Thank you for using Microsoft products.

Attachment:
Update<random character combination>.exe
Patch< random character combination >.exe
P< random character combination >.exe
Q< random character combination >.ex
When Worm/Gibe.B has infected the computer, a Dialog box appears: "Microsoft Internet Update Pack", with the text: "This update has been successfully installed."

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* MSBugAdv.exe (email routine)
* DX3DRndr.exe (email routine)
* MailViews.db (for collected emails)
* WMSysDx.bin (a list of Remote Server)

Start "regedit" after that and edit the following registry entries:

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"DxLoad"="C:\Windows\DX3DRndr.exe"

* HKEY_CURRENT_USER\Software\Kazaa\LocalContent
"Dir99"="012345:C:\\WINDOWS\\TEMP\\<%random folder
name%>\\<%random file name%>

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Internet Settings\Messenger Setup
"Coded"="... by Begbie"
"Server"="Not found"
"Email Address"="Not found"
"Disp Name"="Microsoft Web Automat"
"LookName"="<%random filename%>"
"Stock Fall In"=dword:00000001

Restart your computer.

- for Windows 9x/ME:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* MSBugAdv.exe (email routine)
* DX3DRndr.exe (email routine)
* MailViews.db (for collected emails)
* WMSysDx.bin (a list of Remote Server)

Start "regedit" after that and edit the following registry entries:

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"DxLoad"="C:\Windows\DX3DRndr.exe"

* HKEY_CURRENT_USER\Software\Kazaa\LocalContent
"Dir99"="012345:C:\\WINDOWS\\TEMP\\<%random folder
name%>\\<%random file name%>

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Internet Settings\Messenger Setup
"Coded"="... by Begbie"
"Server"="Not found"
"Email Address"="Not found"
"Disp Name"="Microsoft Web Automat"
"LookName"="<%random file name%>"
"Stock Fall In"=dword:00000001

Restart your computer.

Kurzfassung hier.

Beschreibung erstellt von Crony Walker am Tue, 15 Jun 2004 14:00 (GMT+1)

» Über Malware
» Über Phishing
» In-the-Wild-Viren

« zurück

Worm/Gibe.B - Worm

"Prozess einer Virenabwehr"