Ashdaw
03-06-02, 03:53 PM
W32.Gibe Trojan
This is another of those horrible little bums that you need to look out for. Make sure you get your AV Programme UP TO DATE??? or you could be sorry. This is courtesy of www.Symantec.com
W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP engine to spread. This worm arrives in an email message--which is disguised as a Microsoft Internet Security Update--as the attachment Q216309.exe.
The fake message, which is not from Microsoft, has the following characteristics:
From: Microsoft Corporation Security Center
Subject: Internet Security Update
Message:
Microsoft Customer,
this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities
.
.
.
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
.
.
.
Attachment: Q216309.exe
The attached file, Q216309.exe, is written in Visual Basic; it contains other worm components inside itself. When the attached file is executed, it does the following:
It creates the following files:
\Windows\Q216309.exe (122,880 bytes). This is the whole package containing the worm.
\Windows\Vtnmsccd.dll (122,880 bytes). This file is the same as Q216309.exe.
\Windows\BcTool.exe (32,768 bytes). This is the worm component that spreads using Microsoft Outlook and SMTP.
\Windows\GfxAcc.exe (20,480 bytes). This is the Backdoor Trojan component of the worm that opens port 12378.
\Windows\02_N803.dat (size varies). This is the data file that the worm creates to store email addresses that it finds.
\Windows\WinNetw.exe (20,480 bytes). This is the component that searches for email addresses and writes them to 02_N803.dat.
NOTE: Norton AntiVirus detects all of these files as W32.Gibe@mm except the 02_N803.dat. file, which contains only data.
Next, the worm then adds the following values:
LoadDBackUp C:\Windows\BcTool.exe
3Dfx Acc C:\Windows\GFXACC.exe
to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The worm also creates the key
HKEY_LOCAL_MACHINE\Software\AVTech\Settings
and adds the following values to that key:
Installed ... by Begbie
Default Address <Default Email Address>
Default Server <Default Server>
Finally, BcTool.exe attempts to send the \Windows\Q216309.exe file to email addresses in the Microsoft Outlook address book, and to addresses that it found in .htm, .html, .asp, and .php files and wrote to the 02_N803.dat file.
This is another of those horrible little bums that you need to look out for. Make sure you get your AV Programme UP TO DATE??? or you could be sorry. This is courtesy of www.Symantec.com
W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP engine to spread. This worm arrives in an email message--which is disguised as a Microsoft Internet Security Update--as the attachment Q216309.exe.
The fake message, which is not from Microsoft, has the following characteristics:
From: Microsoft Corporation Security Center
Subject: Internet Security Update
Message:
Microsoft Customer,
this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities
.
.
.
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
.
.
.
Attachment: Q216309.exe
The attached file, Q216309.exe, is written in Visual Basic; it contains other worm components inside itself. When the attached file is executed, it does the following:
It creates the following files:
\Windows\Q216309.exe (122,880 bytes). This is the whole package containing the worm.
\Windows\Vtnmsccd.dll (122,880 bytes). This file is the same as Q216309.exe.
\Windows\BcTool.exe (32,768 bytes). This is the worm component that spreads using Microsoft Outlook and SMTP.
\Windows\GfxAcc.exe (20,480 bytes). This is the Backdoor Trojan component of the worm that opens port 12378.
\Windows\02_N803.dat (size varies). This is the data file that the worm creates to store email addresses that it finds.
\Windows\WinNetw.exe (20,480 bytes). This is the component that searches for email addresses and writes them to 02_N803.dat.
NOTE: Norton AntiVirus detects all of these files as W32.Gibe@mm except the 02_N803.dat. file, which contains only data.
Next, the worm then adds the following values:
LoadDBackUp C:\Windows\BcTool.exe
3Dfx Acc C:\Windows\GFXACC.exe
to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The worm also creates the key
HKEY_LOCAL_MACHINE\Software\AVTech\Settings
and adds the following values to that key:
Installed ... by Begbie
Default Address <Default Email Address>
Default Server <Default Server>
Finally, BcTool.exe attempts to send the \Windows\Q216309.exe file to email addresses in the Microsoft Outlook address book, and to addresses that it found in .htm, .html, .asp, and .php files and wrote to the 02_N803.dat file.