NetPlus Communications     W32.Gibe @mm / Internet Security Update Virus Info

Discovered on: March 4, 2002
Last Updated on: March 11, 2002 at 07:17:27 AM PST

Due to an increased rate of submissions Symantec Security Response has upgraded the threat rating of W32.Gibe@mm from Category 2 to Category 3 as of March 11, 2002.

W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP engine to spread. This worm arrives in an email message--which is disguised as a Microsoft Internet Security Update--as the attachment Q216309.exe.

Also Known As: W32/Gibe@mm, WORM_GIBE.A, W32/Gibe-A
Type: Trojan Horse, Worm
Infection Length: 122,880 bytes

Virus Definitions (Intelligent Updater): March 5, 2002
Virus Definitions (LiveUpdateTM): March 6, 2002

Threat Assessment:

 
Medium Medium High
Wild:
Medium		 Damage:
Medium		 Distribution:
High

Wild:

Damage:

Distribution:

Technical description:

The fake message, which is not from Microsoft, has the following characteristics:

From: Microsoft Corporation Security Center
Subject: Internet Security Update
Message:
Microsoft Customer,
this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities
.
.
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
.

Attachment: Q216309.exe

The attached file, Q216309.exe, is written in Visual Basic; it contains other worm components inside itself. When the attached file is executed, it does the following:

It creates the following files:

  • \Windows\Q216309.exe (122,880 bytes). This is the whole package containing the worm.
  • \Windows\Vtnmsccd.dll (122,880 bytes). This file is the same as Q216309.exe.
  • \Windows\BcTool.exe (32,768 bytes). This is the worm component that spreads using Microsoft Outlook and SMTP.
  • \Windows\GfxAcc.exe (20,480 bytes). This is the Backdoor Trojan component of the worm that opens port 12378.
  • \Windows\02_N803.dat (size varies). This is the data file that the worm creates to store email addresses that it finds.
  • \Windows\WinNetw.exe (20,480 bytes). This is the component that searches for email addresses and writes them to 02_N803.dat.

NOTE: Norton AntiVirus detects all of these files as W32.Gibe@mm except the 02_N803.dat. file, which contains only data.

Next, the worm then adds the following values:

LoadDBackUp C:\Windows\BcTool.exe
3Dfx Acc C:\Windows\GFXACC.exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The worm also creates the key

HKEY_LOCAL_MACHINE\Software\AVTech\Settings

and adds the following values to that key:

Installed ... by Begbie
Default Address <Default Email Address>
Default Server <Default Server>

Finally, BcTool.exe attempts to send the \Windows\Q216309.exe file to email addresses in the Microsoft Outlook address book, and to addresses that it found in .htm, .html, .asp, and .php files and wrote to the 02_N803.dat file.

Removal instructions:

Delete files that are detected as W32.Gibe@mm, delete the 02_N803.dat file, and remove the key and values that the worm added to the registry.

To remove this Trojan:

    1. Obtain the most recent virus definitions. There are two ways to do this:
    • Run LiveUpdate. LiveUpdate is the easiest way to obtain virus definitions. These virus definitions have undergone full quality assurance testing by Symantec Security Response and are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
    • Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions have undergone full quality assurance testing by Symantec Security Response. They are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.

      Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.
    2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
    3. Run a full system scan.
    4. Delete all files that are detected as W32.Gibe@mm.
    5. Using Windows Explorer, delete the \Windows\02_N803.dat file.

To edit the registry:

CAUTION: We strongly recommend that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to back up the Windows registry for instructions.
    1. Click Start, and click Run. The Run dialog box appears.
    2. Type regedit and then click OK. The Registry Editor opens.
    3. Navigate to the key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    4. In the right pane, delete the following values:

    LoadDBackUp C:\Windows\BcTool.exe
    3Dfx Acc C:\Windows\GFXACC.exe

    5. Navigate to and delete the key

    HKEY_LOCAL_MACHINE\Software\AVTech

    6. Click Registry, and click Exit.

Additional information:

It has been discovered that this worm may distribute corrupted copies of itself which are non-functional. Virus definitions dated March 11, 2002 or later will detect such corruptions as W32.Gibe.dam. Files detected as such must be deleted.

Revision History:

  • March 11, 2002
    • Upgraded to Category 3
    • Added Additional information regarding W32.Gibe.dam

Write-up by: Gor Nazaryan