Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32/Swen@mm
Type:Worm 
Size:106.469 Bytes 
Origin: 
Date:09-18-2003 
Damage:The worm can be attached in an email. It also spreads over KaZaA and IRC. Tries to switch off antivirus programs. 
VDF Version:6.21.00.47 
Danger:Medium 
Distribution:Medium 

DistributionWorm/Gibe.C is a massmailer, which spreads using its own SMTP engine. It tries to spread over networks as KaZaA and IRC and to switch off antivirus and firewall programs.

The worm can be attached to an email. The subject, body and sender can vary. Some emails claim to be Microsoft Internet Explorer Patches or 'Delivery Failure' messages.

The worm uses a Microsoft Outlook or Outlook Express security hole, to activate itself when the message is opened or previwed.

Technical DetailsWorm/Gibe.C is a 106.496 Bytes file. When opened, the worm is copied into the following directories:

C:\%WinDIR%\%8 Bytes random%.exe (106.496 Bytes)
C:\%WinDIR%\%Computername%.bat
C:\%WinDIR%\%5 Bytes random%.idq
C:\%WinDIR%\oxvga.zip (52.485 Bytes)
C:\My Documents\My Shared Folder\windows media player installer.zip
C:\My Documents\My Shared Folder\AOL hacker.zip
C:\My Documents\My Shared Folder\Virus Generator.zip
C:\My Documents\My Shared Folder\Mirc upload.zip
C:\My Documents\My Shared Folder\Download Accelerator upload.zip
C:\My Documents\My Shared Folder\WinRar upload.zip
C:\My Documents\My Shared Folder\Hallucinogenic Screensaver.zip
C:\My Documents\My Shared Folder\WinRar warez.exe
C:\My Documents\My Shared Folder\GetRight FTP key generator.exe
C:\My Documents\My Shared Folder\Download Accelerator upload.exe
C:\My Documents\My Shared Folder\KaZaA installer.zip
C:\My Documents\My Shared Folder\Hotmail hacker.zip
C:\My Documents\My Shared Folder\Yaha removal tool.zip
C:\My Documents\My Shared Folder\xbox emulator.zip
C:\My Documents\My Shared Folder\KaZaA media desktop hacked.zip
C:\My Documents\My Shared Folder\Windows Media Player hack.exe
C:\%WinDIR%\TEMP\wve\winrar warez.zip
C:\%WinDIR%\TEMP\wve\AOL hacker.zip
C:\%WinDIR%\TEMP\wve\Windows Media Player installer.zip
C:\%WinDIR%\TEMP\wve\KaZaA key generator.zip
C:\%WinDIR%\TEMP\wve\Yahoo hacker.zip
C:\%WinDIR%\TEMP\wve\Sick Joke.zip
C:\%WinDIR%\TEMP\wve\Download Accelerator hacked.zip
C:\%WinDIR%\TEMP\wve\XXX Video.exe
C:\%WinDIR%\TEMP\wve\virus generator.exe
C:\%WinDIR%\Download Accelerator upload.zip

The.EXE files are always 106.496 Bytes and the .ZIP files are 52.485 Bytes.

Worm/Gibe.C makes the following registry entries: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]"%random name%"="%random name%.exe autorun" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\%random name%]"Install Item"="%random name%""unfile"="%random name%.idq""CacheBox Outfit"="yes""zipname"="%random name%""Kazaa Infect"="yes""Mirc Install Folder"="C:\\Mirc""Email Adress"="xxx@xxxxx.de""VicName"="%random name%" [HKEY_CLASSES_ROOT\exefile\shell\open\command]@="%random name%"\"%1\"%*" [HKEY_CLASSES_ROOT\comfile\shell\open\command]@="%random name%"\"%1\"%*" [HKEY_CLASSES_ROOT\piffile\shell\open\command]@="%random name%"\"%1\"%*" [HKEY_CLASSES_ROOT\batfile\shell\open\command]@="%random name%\"%1\"%*" [HKEY_CLASSES_ROOT\scrfile\shell\open\command]@="%random name%"\"%1\"" [HKEY_CLASSES_ROOT\regfile\shell\open\command]@="%random name% showerror"

On Microsoft Homepage there is an Update for removing the security hole.

Manual Remove InstructionsIn order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:
C:\%WinDIR%\%8 Bytes random%.exe (106.496 Bytes)
C:\%WinDIR%\%Computername%.bat
C:\%WinDIR%\%5 Bytes random%.idq
C:\%WinDIR%\oxvga.zip (52.485 Bytes)
C:\My Documents\My Shared Folder\windows media player installer.zip
C:\My Documents\My Shared Folder\AOL hacker.zip
C:\My Documents\My Shared Folder\Virus Generator.zip
C:\My Documents\My Shared Folder\Mirc upload.zip
C:\My Documents\My Shared Folder\Download Accelerator upload.zip
C:\My Documents\My Shared Folder\WinRar upload.zip
C:\My Documents\My Shared Folder\Hallucinogenic Screensaver.zip
C:\My Documents\My Shared Folder\WinRar warez.exe
C:\My Documents\My Shared Folder\GetRight FTP key generator.exe
C:\My Documents\My Shared Folder\Download Accelerator upload.exe
C:\My Documents\My Shared Folder\KaZaA installer.zip
C:\My Documents\My Shared Folder\Hotmail hacker.zip
C:\My Documents\My Shared Folder\Yaha removal tool.zip
C:\My Documents\My Shared Folder\xbox emulator.zip
C:\My Documents\My Shared Folder\KaZaA media desktop hacked.zip
C:\My Documents\My Shared Folder\Windows Media Player hack.exe
C:\%WinDIR%\TEMP\wve\winrar warez.zip
C:\%WinDIR%\TEMP\wve\AOL hacker.zip
C:\%WinDIR%\TEMP\wve\Windows Media Player installer.zip
C:\%WinDIR%\TEMP\wve\KaZaA key generator.zip
C:\%WinDIR%\TEMP\wve\Yahoo hacker.zip
C:\%WinDIR%\TEMP\wve\Sick Joke.zip
C:\%WinDIR%\TEMP\wve\Download Accelerator hacked.zip
C:\%WinDIR%\TEMP\wve\XXX Video.exe
C:\%WinDIR%\TEMP\wve\virus generator.exe
C:\%WinDIR%\Download Accelerator upload.zip

Start "regedit" after that and edit the following registry entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"%random name%"="%random name%.exe autorun"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Explorer\
%random name%]
"Install Item"="%random name%"
"unfile"="%random name%.idq"
"CacheBox Outfit"="yes"
"zipname"="%random name%"
"Kazaa Infect"="yes"
"Mirc Install Folder"="C:\\Mirc"
"Email Adress"="xxx@xxxxx.de"
"VicName"="%random name%"

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="%random name%"\"%1\"%*"

[HKEY_CLASSES_ROOT\comfile\shell\open\command]
@="%random name%"\"%1\"%*"

[HKEY_CLASSES_ROOT\piffile\shell\open\command]
@="%random name%"\"%1\"%*"

[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="%random name%\"%1\"%*"

[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
@="%random name%"\"%1\""

[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@="%random name% showerror"

Restart your computer and connect the antivirus scanning.
설명 삽입자 Crony Walker   2004년 6월 15일 화요일

뒤로 . . . .
https:// 이 창은 보안을 위해 암호화되었습니다.