Dear All:
Here is the latest alert issued today.
It's a Level Three Alert.
Note that this worm looks like it's coming
from Microsoft with instructions to install.
One of the Security houses also found that
a version of this could be executed without
activating the attachment.
So download your AV patches ASAP. If the
virus can activate without execution of the
attachment then the thought that you are
protected by not executing attachments is
false.
Note that these virus are not being
transmitted through Rootsweb but are
coming from people that you know and have
your address in their email program.
Best Regards
John A Hansen
List Admin
W32.Gibe@mm
Discovered on: March 4, 2002
Last Updated on: March 11, 2002 at 07:17:27 AM PST
Due to an increased rate of submissions Symantec Security
Response has upgraded the threat rating of W32.Gibe@mm
from Category 2 to Category 3 as of March 11, 2002.
W32.Gibe@mm is a worm that uses Microsoft Outlook and its
own SMTP engine to spread. This worm arrives in an email
message--which is disguised as a Microsoft Internet
Security Update--as the attachment Q216309.exe.
Also Known As: W32/Gibe@mm, WORM_GIBE.A, W32/Gibe-A
Type: Trojan Horse, Worm
Infection Length: 122,880 bytes
Virus Definitions (Intelligent Updater): March 5, 2002
Virus Definitions (LiveUpdateTM): March 6, 2002
Threat Assessment:
Damage:
Payload:
Large scale e-mailing: Sends to addresses found
in Microsoft Outlook Address book and by searching
of .htm, .html, .asp, and .php files.
Compromises security settings: Installs a Backdoor
Trojan which allows remote access to the infected system
Distribution:
Subject of email: Internet Security Update
Name of attachment: Q216309.exe
Size of attachment: 122,880 bytes
Ports: 12378
Technical description:
The fake message, which is not from Microsoft, has
the following characteristics:
From: Microsoft Corporation Security Center
Subject: Internet Security Update
Message:
Microsoft Customer,
this is the latest version of security update,
the update which eliminates all known security
vulnerabilities affecting Internet Explorer and
MS Outlook/Express as well as six new vulnerabilities
.
.
.
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
.
.
.
Attachment: Q216309.exe
The attached file, Q216309.exe, is written in Visual Basic;
it contains other worm components inside itself. When the
attached file is executed, it does the following:
It creates the following files:
\Windows\Q216309.exe (122,880 bytes). This is the whole package
containing the worm.
\Windows\Vtnmsccd.dll (122,880 bytes). This file is the same
as Q216309.exe.
\Windows\BcTool.exe (32,768 bytes). This is the worm component
that spreads using Microsoft Outlook and SMTP.
\Windows\GfxAcc.exe (20,480 bytes). This is the Backdoor
Trojan component of the worm that opens port 12378.
\Windows\02_N803.dat (size varies). This is the data file
that the worm creates to store email addresses that it finds.
\Windows\WinNetw.exe (20,480 bytes). This is the component
that searches for email addresses and writes them to 02_N803.dat.
NOTE: Norton AntiVirus detects all of these files as W32.Gibe@mm
except the 02_N803.dat. file, which contains only data.
Finally, BcTool.exe attempts to send the
\Windows\Q216309.exe file to email addresses
in the Microsoft Outlook address book, and to
addresses that it found in .htm, .html, .asp,
and .php files and wrote to the 02_N803.dat file.