Full description

Alias:	W32/Swen@mm
Type:	Worm
Size:	106.469 Bytes
Origin:
Date:	09-18-2003
Damage:	The worm can be attached in an email. It also spreads over KaZaA and IRC. Tries to switch off antivirus programs.
VDF Version:	6.21.00.47
Danger:	Medium
Distribution:	Medium

DistributionWorm/Gibe.C is a massmailer, which spreads using its own SMTP engine. It tries to spread over networks as KaZaA and IRC and to switch off antivirus and firewall programs.

The worm can be attached to an email. The subject, body and sender can vary. Some emails claim to be Microsoft Internet Explorer Patches or 'Delivery Failure' messages.

The worm uses a Microsoft Outlook or Outlook Express security hole, to activate itself when the message is opened or previwed.

Technical DetailsWorm/Gibe.C is a 106.496 Bytes file. When opened, the worm is copied into the following directories:

C:\%WinDIR%\%8 Bytes random%.exe (106.496 Bytes)
C:\%WinDIR%\%Computername%.bat
C:\%WinDIR%\%5 Bytes random%.idq
C:\%WinDIR%\oxvga.zip (52.485 Bytes)
C:\My Documents\My Shared Folder\windows media player installer.zip
C:\My Documents\My Shared Folder\AOL hacker.zip
C:\My Documents\My Shared Folder\Virus Generator.zip
C:\My Documents\My Shared Folder\Mirc upload.zip
C:\My Documents\My Shared Folder\Download Accelerator upload.zip
C:\My Documents\My Shared Folder\WinRar upload.zip
C:\My Documents\My Shared Folder\Hallucinogenic Screensaver.zip
C:\My Documents\My Shared Folder\WinRar warez.exe
C:\My Documents\My Shared Folder\GetRight FTP key generator.exe
C:\My Documents\My Shared Folder\Download Accelerator upload.exe
C:\My Documents\My Shared Folder\KaZaA installer.zip
C:\My Documents\My Shared Folder\Hotmail hacker.zip
C:\My Documents\My Shared Folder\Yaha removal tool.zip
C:\My Documents\My Shared Folder\xbox emulator.zip
C:\My Documents\My Shared Folder\KaZaA media desktop hacked.zip
C:\My Documents\My Shared Folder\Windows Media Player hack.exe
C:\%WinDIR%\TEMP\wve\winrar warez.zip
C:\%WinDIR%\TEMP\wve\AOL hacker.zip
C:\%WinDIR%\TEMP\wve\Windows Media Player installer.zip
C:\%WinDIR%\TEMP\wve\KaZaA key generator.zip
C:\%WinDIR%\TEMP\wve\Yahoo hacker.zip
C:\%WinDIR%\TEMP\wve\Sick Joke.zip
C:\%WinDIR%\TEMP\wve\Download Accelerator hacked.zip
C:\%WinDIR%\TEMP\wve\XXX Video.exe
C:\%WinDIR%\TEMP\wve\virus generator.exe
C:\%WinDIR%\Download Accelerator upload.zip

The.EXE files are always 106.496 Bytes and the .ZIP files are 52.485 Bytes.

Worm/Gibe.C makes the following registry entries: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]"%random name%"="%random name%.exe autorun" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\%random name%]"Install Item"="%random name%""unfile"="%random name%.idq""CacheBox Outfit"="yes""zipname"="%random name%""Kazaa Infect"="yes""Mirc Install Folder"="C:\\Mirc""Email Adress"="xxx@xxxxx.de""VicName"="%random name%" [HKEY_CLASSES_ROOT\exefile\shell\open\command]@="%random name%"\"%1\"%*" [HKEY_CLASSES_ROOT\comfile\shell\open\command]@="%random name%"\"%1\"%*" [HKEY_CLASSES_ROOT\piffile\shell\open\command]@="%random name%"\"%1\"%*" [HKEY_CLASSES_ROOT\batfile\shell\open\command]@="%random name%\"%1\"%*" [HKEY_CLASSES_ROOT\scrfile\shell\open\command]@="%random name%"\"%1\"" [HKEY_CLASSES_ROOT\regfile\shell\open\command]@="%random name% showerror"

On Microsoft Homepage there is an Update for removing the security hole.

Manual Remove InstructionsIn order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:
C:\%WinDIR%\%8 Bytes random%.exe (106.496 Bytes)
C:\%WinDIR%\%Computername%.bat
C:\%WinDIR%\%5 Bytes random%.idq
C:\%WinDIR%\oxvga.zip (52.485 Bytes)
C:\My Documents\My Shared Folder\windows media player installer.zip
C:\My Documents\My Shared Folder\AOL hacker.zip
C:\My Documents\My Shared Folder\Virus Generator.zip
C:\My Documents\My Shared Folder\Mirc upload.zip
C:\My Documents\My Shared Folder\Download Accelerator upload.zip
C:\My Documents\My Shared Folder\WinRar upload.zip
C:\My Documents\My Shared Folder\Hallucinogenic Screensaver.zip
C:\My Documents\My Shared Folder\WinRar warez.exe
C:\My Documents\My Shared Folder\GetRight FTP key generator.exe
C:\My Documents\My Shared Folder\Download Accelerator upload.exe
C:\My Documents\My Shared Folder\KaZaA installer.zip
C:\My Documents\My Shared Folder\Hotmail hacker.zip
C:\My Documents\My Shared Folder\Yaha removal tool.zip
C:\My Documents\My Shared Folder\xbox emulator.zip
C:\My Documents\My Shared Folder\KaZaA media desktop hacked.zip
C:\My Documents\My Shared Folder\Windows Media Player hack.exe
C:\%WinDIR%\TEMP\wve\winrar warez.zip
C:\%WinDIR%\TEMP\wve\AOL hacker.zip
C:\%WinDIR%\TEMP\wve\Windows Media Player installer.zip
C:\%WinDIR%\TEMP\wve\KaZaA key generator.zip
C:\%WinDIR%\TEMP\wve\Yahoo hacker.zip
C:\%WinDIR%\TEMP\wve\Sick Joke.zip
C:\%WinDIR%\TEMP\wve\Download Accelerator hacked.zip
C:\%WinDIR%\TEMP\wve\XXX Video.exe
C:\%WinDIR%\TEMP\wve\virus generator.exe
C:\%WinDIR%\Download Accelerator upload.zip

Start "regedit" after that and edit the following registry entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"%random name%"="%random name%.exe autorun"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Explorer\
%random name%]
"Install Item"="%random name%"
"unfile"="%random name%.idq"
"CacheBox Outfit"="yes"
"zipname"="%random name%"
"Kazaa Infect"="yes"
"Mirc Install Folder"="C:\\Mirc"
"Email Adress"="xxx@xxxxx.de"
"VicName"="%random name%"

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="%random name%"\"%1\"%*"

[HKEY_CLASSES_ROOT\comfile\shell\open\command]
@="%random name%"\"%1\"%*"

[HKEY_CLASSES_ROOT\piffile\shell\open\command]
@="%random name%"\"%1\"%*"

[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="%random name%\"%1\"%*"

[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
@="%random name%"\"%1\""

[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@="%random name% showerror"

Restart your computer and connect the antivirus scanning.

說明撰寫者 Crony Walker 開啟 2004年6月15日星期二

返回 . . . .

我的帳戶