Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32/Gibe@mm, WORM_GIBE.A, W32/Gibe-A, I-Worm.Gibe
Type:Worm 
Size:122,880 Bytes 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:6.23.00.00 
Danger:Medium 
Distribution:High 

DistributionWorm/Gibe uses Microsoft Outlook and its own SMTP engine. This worm sends itself by email disguised as Microsoft Internet Security Update.

The false email message looks like this:
From: Microsoft Corporation Security Center
Subject: Internet Security Update
Body: Microsoft Customer, this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities . . . How to install Run attached file q216309.exe How to use You don't need to do anything after installing this item. . . .
Attachment: Q216309.exe

Technical DetailsWhen opening the Visual Basic file Q216309.exe, which contains parts of other viruses, the following files are created:
C:\Windows\Q216309.exe (122,880 Bytes), containing the full virus pack.
C:\Windows\Vtnmsccd.dll (122,880 Bytes) identical with Q216309.exe.
C:\Windows\BcTool.exe (32,768 Bytes), the part using Microsoft Outlook and SMTP.
C:\Windows\GfxAcc.exe (20,480 Bytes) the Backdoor Trojan, opening port 12378.
C:\Windows\02_N803.dat (variable size), the file containing the collected email addresses.
C:\Windows\WinNetw.exe (20,480 Bytes), which looks for email addresses and is saved as 02_N803.dat.

The worm also works over networks. It tries to find all Startup directories over the network:
- Windows 2000
On Windows 2000 computers, it tries to copy itself in C:\Documents and Settings\%Infected Computer User Name%\Start Menu\Programs\Startup.
-Windows 98
On Windows 98 computers, it tries to copy itself in C:\Windows\Start Menu\Programs\Startup.
-Windows NT
On Windows NT computers, it tries to copy itself in C:\Winnt\Profiles\%Infected Computer User Name%\Start Menu\Programs\Startup.

Then, it enters the following two registry keys:
LoadDBackUp C:\Windows\BcTool.exe
3Dfx Acc C:\Windows\GFXACC.exe
Registry path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

It also enters in the registry:
HKEY_LOCAL_MACHINE\Software\AVTech\Settings
Installed ... by Begbie Default Address %Default Email Address% Default Server %Default Server%

Finally, the file BcTool.exe tries to send \Windows\Q216309.exe to all email addresses found in Microsoft Outlook and in .htm, .html, .asp, and .php files. The data is also saved in 02_N803.dat.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .