Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
W32/Gibe@mm, WORM_GIBE.A, W32/Gibe-A, I-Worm.Gibe
Sent by email.
Worm/Gibe uses Microsoft Outlook and its own SMTP engine. This worm sends itself by email disguised as Microsoft Internet Security Update.
The false email message looks like this:
From: Microsoft Corporation Security Center
Subject: Internet Security Update
Body: Microsoft Customer, this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities . . . How to install Run attached file q216309.exe How to use You don't need to do anything after installing this item. . . .
When opening the Visual Basic file Q216309.exe, which contains parts of other viruses, the following files are created:
C:\Windows\Q216309.exe (122,880 Bytes), containing the full virus pack.
C:\Windows\Vtnmsccd.dll (122,880 Bytes) identical with Q216309.exe.
C:\Windows\BcTool.exe (32,768 Bytes), the part using Microsoft Outlook and SMTP.
C:\Windows\GfxAcc.exe (20,480 Bytes) the Backdoor Trojan, opening port 12378.
C:\Windows\02_N803.dat (variable size), the file containing the collected email addresses.
C:\Windows\WinNetw.exe (20,480 Bytes), which looks for email addresses and is saved as 02_N803.dat.
The worm also works over networks. It tries to find all Startup directories over the network:
- Windows 2000
On Windows 2000 computers, it tries to copy itself in C:\Documents and Settings\%Infected Computer User Name%\Start Menu\Programs\Startup.
On Windows 98 computers, it tries to copy itself in C:\Windows\Start Menu\Programs\Startup.
On Windows NT computers, it tries to copy itself in C:\Winnt\Profiles\%Infected Computer User Name%\Start Menu\Programs\Startup.
Then, it enters the following two registry keys:
3Dfx Acc C:\Windows\GFXACC.exe
Registry path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
It also enters in the registry:
Installed ... by Begbie Default Address %Default Email Address% Default Server %Default Server%
Finally, the file BcTool.exe tries to send \Windows\Q216309.exe to all email addresses found in Microsoft Outlook and in .htm, .html, .asp, and .php files. The data is also saved in 02_N803.dat.
Description inserted by Crony Walker on Tuesday, June 15, 2004