New Virus Warning See Dave's letter in this issue Info taken from the Symantec site at http://www.symantec.com/avcenter/venc/data/w32.gibe@mm.html W32.Gibe@mm Discovered on: March 4, 2002 Last Updated on: April 15, 2002 at 04:40:06 PM PDT Due to an increased rate of submissions Symantec Security Response has upgraded the threat rating of W32.Gibe@mm from Category 2 to Category 3 as of March 11, 2002. W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP engine to spread. This worm arrives in an email message--which is disguised as a Microsoft Internet Security Update--as the attachment Q216309.exe. The worm also attempts to copy itself to all locally mapped remote drives. Also Known As: W32/Gibe@mm, WORM_GIBE.A, W32/Gibe-A Type: Trojan Horse, Worm Infection Length: 122,880 bytes Threat Assessment Wild: Number of infections: More than 1000 Number of sites: More than 10 Geographical distribution: High Threat containment: Easy Removal: Moderate Damage: Payload: Large scale e-mailing: Sends to addresses found in Microsoft Outlook Address book and by searching of .htm, .html, .asp, and .php files. Compromises security settings: Installs a Backdoor Trojan which allows remote access to the infected system Distribution: Subject of email: Internet Security Update Name of attachment: Q216309.exe Size of attachment: 122,880 bytes Ports: 12378 Shared drives: It attempts to locate the Startup folder on all mapped network drives based on the OS of the infected system The fake message, which is not from Microsoft, has the following characteristics: From: Microsoft Corporation Security Center Subject: Internet Security Update Message: Microsoft Customer, this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities . . . How to install Run attached file q216309.exe How to use You don't need to do anything after installing this item. . . . Attachment: Q216309.exe The attached file, Q216309.exe, is written in Visual Basic; it contains other worm components inside itself. When the attached file is executed, it does the following: It creates the following files: \Windows\Q216309.exe (122,880 bytes). This is the whole package containing the worm. \Windows\Vtnmsccd.dll (122,880 bytes). This file is the same as Q216309.exe. \Windows\BcTool.exe (32,768 bytes). This is the worm component that spreads using Microsoft Outlook and SMTP. \Windows\GfxAcc.exe (20,480 bytes). This is the Backdoor Trojan component of the worm that opens port 12378. \Windows\02_N803.dat (size varies). This is the data file that the worm creates to store email addresses that it finds. \Windows\WinNetw.exe (20,480 bytes). This is the component that searches for email addresses and writes them to 02_N803.dat. NOTE: Norton AntiVirus detects all of these files as W32.Gibe@mm except the 02_N803.dat. file, which contains only data. The worm is also network aware. It attempts to locate the Startup folder on all mapped network drives, as follows: Windows 2000. On Windows 2000 computers, it attempts to copy itself to: \Documents and Settings\%Infected Computer User Name%\Start Menu\Programs\Startup. NOTE: %Infected Computer User Name% is a variable. For example, if the logged in user of the infected computer is "Administrator," it would copy itself to: \Documents and Settings\Administrator\Start Menu\Programs\Startup on the remote computer. Windows 98. On Windows 98 computers, it attempts to copy itself to: \Windows\Start Menu\Programs\Startup on the remote computer. Windows NT. On Windows NT Computers, it attempts to copy itself to: \Winnt\Profiles\%Infected Computer User Name%\Start Menu\Programs\Startup NOTE: %Infected Computer User Name% is a variable. For example, if the logged in user of the infected computer is "Administrator," it would copy itself to: \Winnt\Profiles\Administrator\Start Menu\Programs\Startup on the remote computer. Next, the worm then adds the following values: LoadDBackUp C:\Windows\BcTool.exe 3Dfx Acc C:\Windows\GFXACC.exe to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run The worm also creates the key HKEY_LOCAL_MACHINE\Software\AVTech\Settings and adds the following values to that key: Installed ... by Begbie Default Address Default Server Finally, BcTool.exe attempts to send the \Windows\Q216309.exe file to email addresses in the Microsoft Outlook address book, and to addresses that it found in .htm, .html, .asp, and .php files and wrote to the 02_N803.dat file. The preferred way to remove this worm is to use the http://securityresponse.symantec.com/avcenter/venc/data/w32. gibe@mm.removal.tool.html. If for any reason you cannot obtain the tool, you must remove the worm manually. To remove this worm: 1. Update your virus definitions. 2. Restart the computer in Safe mode. 3. Run a full system scan and delete files that are detected as W32.Gibe@mm, and then delete the 02_N803.dat file. 4. Remove the key and values that the worm added to the registry. NOTE: Windows Me and Windows XP users should turn off System Restore. This feature, which is enabled by default, is used by Windows Me/XP to restore files on your computer in case they become damaged. When a computer is infected with a virus, it is possible that the virus could be backed up by System Restore. By default, Windows prevents System Restore from being modified by outside programs. As a result, there is the possibility that you could accidentally restore a virus-infected file, or that on-line scanners would detect the virus in that location. For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles: To delete the worm files: 1. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files. 2. Run a full system scan. 3. Delete all files that are detected as W32.Gibe@mm. 4. Using Windows Explorer, delete the \Windows\02_N803.dat file. To edit the registry: CAUTION: We strongly recommend that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to back up the Windows registry for instructions. 1. Click Start, and click Run. The Run dialog box appears. 2. Type regedit and then click OK. The Registry Editor opens. 3. Navigate to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 4. In the right pane, delete the following values: LoadDBackUp C:\Windows\BcTool.exe 3Dfx Acc C:\Windows\GFXACC.exe 5. Navigate to and delete the key HKEY_LOCAL_MACHINE\Software\AVTech 6. Click Registry, and click Exit. Additional information: It has been discovered that this worm may distribute corrupted copies of itself which are non-functional. Virus definitions dated March 11, 2002 or later will detect these as W32.Gibe.dam. Files detected as such must be deleted. Write-up by: Gor Nazaryan - o -