New Virus Alert

[Guest guest]

PLEASE VISIT OUR SPONSORS:

 

Polaroid Digital Camera with FREE Software and more...The first

easy-to-use complete digital photo system - ONLY $49.95! Enter the world of

digital photography at an unbeatable low price!

CLICK HERE.

--------

 

 

Dear Lynn Avery,

 

Discovered on: March 4, 2002

Last Updated on: March 6, 2002 at 10:04:33 AM PST

 

 

W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP

engine to spread. This worm arrives in an email message--which is disguised as a

Microsoft Internet Security Update--as the attachment Q216309.exe.

 

Also Known As: W32/Gibe@mm, WORM_GIBE.A, W32/Gibe-A

Type: Trojan Horse, Worm

Infection Length: 122,880 bytes

 

Subject of email: Internet Security Update

Name of attachment: Q216309.exe

Size of attachment: 122,880 bytes

Ports: 12378

 

Technical description:

 

The fake message, which is not from Microsoft, has the following

characteristics:

 

Microsoft Corporation Security Center

Internet Security Update

Message: Microsoft Customer,

this is the latest version of security update, the update which

eliminates all known security vulnerabilities affecting Internet Explorer and MS

Outlook/Express as well as six new vulnerabilities

 

.

.

.

How to install

Run attached file q216309.exe

How to use

You don't need to do anything after installing this item.

.

.

.

Attachment: Q216309.exe

 

 

The attached file, Q216309.exe, is written in Visual Basic; it contains

other worm components inside itself. When the attached file is executed, it does

the following:

 

It creates the following files:

 

\Windows\Q216309.exe (122,880 bytes). This is the whole package

containing the worm.

\Windows\Vtnmsccd.dll (122,880 bytes). This file is the same as

Q216309.exe.

\Windows\BcTool.exe (32,768 bytes). This is the worm component that

spreads using Microsoft Outlook and SMTP.

\Windows\GfxAcc.exe (20,480 bytes). This is the Backdoor Trojan

component of the worm that opens port 12378.

\Windows\02_N803.dat (size varies). This is the data file that the worm

creates to store email addresses that it finds.

\Windows\WinNetw.exe (20,480 bytes). This is the component that searches

for email addresses and writes them to 02_N803.dat.

 

NOTE: Norton AntiVirus detects all of these files as W32.Gibe@mm except

the 02_N803.dat. file, which contains only data.

 

Next, the worm then adds the following values:

 

LoadDBackUp C:\Windows\BcTool.exe

3Dfx Acc C:\Windows\GFXACC.exe

 

to the registry key

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

 

The worm also creates the key

 

HKEY_LOCAL_MACHINE\Software\AVTech\Settings

 

and adds the following values to that key:

 

Installed ... by Begbie

Default Address

Default Server

 

Finally, BcTool.exe attempts to send the \Windows\Q216309.exe file to

email addresses in the Microsoft Outlook address book, and to addresses that it

found in .htm, .html, .asp, and .php files and wrote to the 02_N803.dat file.

 

 

Removal instructions:

 

Delete files that are detected as W32.Gibe@mm, delete the 02_N803.dat

file, and remove the key and values that the worm added to the registry.

 

To remove this Trojan:

 

1. Obtain the most recent virus definitions. There are two ways to do

this:

Run LiveUpdate. LiveUpdate is the easiest way to obtain virus

definitions. These virus definitions have undergone full quality assurance

testing by Symantec Security Response and are posted to the LiveUpdate servers

one time each week (usually Wednesdays) unless there is a major virus outbreak.

To determine whether definitions for this threat are available by LiveUpdate,

look at the Virus Definitions (LiveUpdate) line at the top of this write-up.

Download the definitions using the Intelligent Updater. Intelligent

Updater virus definitions have undergone full quality assurance testing by

Symantec Security Response. They are posted on U.S. business days (Monday

through Friday). They must be downloaded from the Symantec Security Response Web

site and installed manually. To determine whether definitions for this threat

are available by the Intelligent Updater, look at the Virus Definitions

(Intelligent Updater) line at the top of this write-up.

 

Intelligent Updater virus definitions are available here. For detailed

instructions on how to download and install the Intelligent Updater virus

definitions from the Symantec Security Response Web site,

 

2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to

scan all files. For instructions on how to do this, read the document How to

configure Norton AntiVirus to scan all files.

3. Run a full system scan.

4. Delete all files that are detected as W32.Gibe (AT) mm (DOT)

5. Using Windows Explorer, delete the \Windows\02_N803.dat file.

 

To edit the registry:

 

CAUTION: We strongly recommend that you back up the registry before you

make any changes to it. Incorrect changes to the registry can result in

permanent data loss or corrupted files. Modify only the keys that are specified.

Read the document How to back up the Windows registry for instructions.

 

1. Click Start, and click Run. The Run dialog box appears.

2. Type regedit and then click OK. The Registry Editor opens.

3. Navigate to the key

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

 

4. In the right pane, delete the following values:

 

LoadDBackUp C:\Windows\BcTool.exe

3Dfx Acc C:\Windows\GFXACC.exe

 

5. Navigate to and delete the key

 

HKEY_LOCAL_MACHINE\Software\AVTech

 

6. Click Registry, and click Exit.

 

 

--------

---COOL NEW REMINDERS--- Great Quotes of the Day Travel Digest

Pet Tips ---FAVORITE REMINDERS--- Entertainment News Children's Product

Recalls U.S. Market Indicies

 

You can receive a free, steady stream of income boosting marketing

advice straight from SmartReminders' e-mail marketing experts.

CLICK HERE.

 

 

To from this Reminder topic,

To from SmartReminders altogether,