LHRIC logo TECHNICAL SERVICES
LHRIC logo home | search | contact | Virus Central  
LHRIC logo

Providing timely, reliable & cost-effective technical support 

Virus Central - Detailed

Virus Information

 

Name:

W32.Gibe@mm

Aliases:

W32/Gibe@mm, WORM_GIBE.A, W32/Gibe-A

Type:

Trojan Horse, Worm

Discovery Date:

3/4/02

Virus Description:

W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP engine to spread. This
worm arrives in an email message--which is disguised as a Microsoft Internet Security Update--as the attachment Q216309.exe.

E-mail Subject:

Internet Security Update

E-mail Body:

Microsoft Customer,
this is the latest version of security update, the update which eliminates all known security
vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities
.
.
.
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.

Attachment:

Q216309.exe

Virus Effects:


The attached file, Q216309.exe, is written in Visual Basic; it contains other worm components inside itself. When the attached file is executed, it does the following:

It creates the following files:

  • \Windows\Q216309.exe (122,880 bytes). This is the whole package containing the worm.
  • \Windows\Vtnmsccd.dll (122,880 bytes). This file is the same as Q216309.exe.
  • \Windows\BcTool.exe (32,768 bytes). This is the worm component that spreads using
    Microsoft Outlook and SMTP.
  • \Windows\GfxAcc.exe (20,480 bytes). This is the Backdoor Trojan component of the worm
    that opens port 12378.
  • \Windows\02_N803.dat (size varies). This is the data file that the worm creates to store email
    addresses that it finds.
  • \Windows\WinNetw.exe (20,480 bytes). This is the component that searches for email
    addresses and writes them to 02_N803.dat.

NOTE: Norton AntiVirus detects all of these files as W32.Gibe@mm except the 02_N803.dat. file,
which contains only data.

Next, the worm then adds the following values:

LoadDBackUp C:\Windows\BcTool.exe
3Dfx Acc C:\Windows\GFXACC.exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The worm also creates the key

HKEY_LOCAL_MACHINE\Software\AVTech\Settings

and adds the following values to that key:

Installed ... by Begbie
Default Address <Default Email Address>
Default Server <Default Server>

Finally, BcTool.exe attempts to send the \Windows\Q216309.exe file to email addresses in the
Microsoft Outlook address book, and to addresses that it found in .htm, .html, .asp, and .php files
and wrote to the 02_N803.dat file.

Removal Instructions:

Delete files that are detected as W32.Gibe@mm, delete the 02_N803.dat file, and remove the key
and values that the worm added to the registry.

To remove this Trojan:

1. Obtain the most recent virus definitions. There are two ways to do this:

  • Run LiveUpdate. LiveUpdate is the easiest way to obtain virus definitions. These virus
    definitions have undergone full quality assurance testing by Symantec Security
    Response and are posted to the LiveUpdate servers one time each week (usually
    Wednesdays) unless there is a major virus outbreak. To determine whether definitions
    for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate)
    line at the top of this write-up.

  • Download the definitions using the Intelligent Updater. Intelligent Updater virus
    definitions have undergone full quality assurance testing by Symantec Security
    Response. They are posted on U.S. business days (Monday through Friday). They
    must be downloaded from the Symantec Security Response Web site and installed
    manually. To determine whether definitions for this threat are available by the Intelligent
    Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this
    write-up.

Intelligent Updater virus definitions are available here. For detailed instructions on how
to download and install the Intelligent Updater virus definitions from the Symantec
Security Response Web site, click here.

2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For
instructions on how to do this, read the document How to configure Norton AntiVirus to scan
all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Gibe@mm.
5. Using Windows Explorer, delete the \Windows\02_N803.dat file.

To edit the registry:

CAUTION: We strongly recommend that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to back up the Windows registry for
instructions.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the following values:

LoadDBackUp C:\Windows\BcTool.exe
3Dfx Acc C:\Windows\GFXACC.exe

5. Navigate to and delete the key

HKEY_LOCAL_MACHINE\Software\AVTech

6. Click Registry, and click Exit.

Additional information:

It has been discovered that this worm may distribute corrupted copies of itself which are
non-functional. Virus definitions dated March 11, 2002 or later will detect such corruptions as
W32.Gibe.dam. Files detected as such must be deleted.

TOP

Site Last Updated: March 12, 2002
© Copyright 2001,2002 Lower Hudson Regional Information Center (LHRIC).