Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

BEWARE! It's a WORM! Re: IP: The next step in malicious spam

From: David Farber <dfarber () earthlink net>
Date: Sat, 09 Mar 2002 13:44:32 -0400

-----Original Message-----
From: Ari Ollikainen <Ari () OLTECO com>
Date: Sat, 09 Mar 2002 09:20:13 
To: farber () cis upenn edu
Subject: BEWARE! It's a WORM! Re: IP: The next step in malicious spam


-----Original Message-----
From: Joe Faber <joefaber () alumni princeton edu>
Date: Sat, 09 Mar 2002 11:28:46
To: <farber () cis upenn edu>
Subject: The next step in malicious spam

Dave,
I'm used to ignoring spam, but this morning I woke up to find that I
received no fewer than three 160K+ .exe attachments in my inbox 
purporting to be from Microsoft. The were from the "Microsoft 
Corporation Security Center" and used "Internet Security Update" as 
their subject heading. The email explains that the attached patch is 
the "5 Mar 2002 Cumulative Patch which eliminates all Ms 
Outlook/Express as well as six new vulnerabilities" [sic]. It goes 
on to list some of the specific vulnerabilities and system 
requirements. They even provide a link to a Microsoft security 
website (where I couldn't find any mention of the patch).


        Read the following http://zdnet.com.com/2100-1105-853235.html

        and act accordingly.

"...
Gibe worm poses as a Microsoft update

By Robert Vamosi
ZDNet Reviews & Solutions
March 6, 2002, 9:00 AM PT

What appears to be a new security update from Microsoft is actually a
clever attempt by a virus writer to spread a worm. Gibe (w32.gibe@mm)
is a nondestructive worm written in Visual Basic that attempts to
mass-mail itself to everyone in an address book. Fortunately, the
infected e-mail is plagued with spelling errors and should be easy to
spot. Because this worm is not destructive and only sends e-mail to
others, Gibe ranks as a 4 on the ZDNet Virus Meter.

[...]


The attached file is q216309.exe (122,880 bytes), which appears to be 
a Microsoft Knowledge Base entry (it is not).

Users of non-Windows systems are not affected by this worm. If a
Windows user opens the attached file, Gibe will make the following
changes to the Registry:

HKLMSoftwareAVTechSettingsDefault Address = (default address)
HKLMSoftwareAVTechSettingsDefaultServer = (default server)
HKLMSoftwareAVTechSettingsInstalled = ...by Begbie HKLMSoftwareMicrosoftWindows
CurrentVersionRun3dfx Acc = (path to gfxacc.exe) HKLMSoftwareMicrosoftWindows
CurrentVersionRunLoadDBackup = (path to bctool.exe)

These changes allow Gibe to install a backdoor Trojan horse that
becomes active every time the computer is rebooted. Gibe will also
create the following files in the Windows directory:

bctool.exe (32,768 bytes) - the mass-mailing component
winnetw.exe (20,480 bytes)- e-mail address finding component
q216309.exe (122,880 bytes  - a copy of the worm
vtnmsccd.dll (122,880 bytes) - a copy of the worm
gfxacc.exe (20,480 bytes) - the Trojan horse component

The file gfxacc.exe is the backdoor Trojan horse that could allow
malicious users into a PC. Alert users who monitor their systems with 
a firewall may notice unusual traffic on port 12387 as a result of 
Gibe.

Prevention

Users of Microsoft Outlook 2002 and users of Outlook 2000 who have 
installed the Security Update should be safe from the EXE attachment 
included with Gibe. Users who have not upgraded to Outlook 2002 or who
have not installed the Security Update for Outlook 2000 should do so.
In general, do not open attached files in e-mail without first saving
them to hard disk and scanning them with updated antivirus software. 
Contact your antivirus vendor to obtain the most current antivirus 
signature files that include Gibe.

Removal

A few antivirus software companies have updated their signature files 
to include this worm. This will stop the infection upon contact and 
in some cases will remove an active infection from your system. For 
more information, see McAfee, Sophos, Symantec, and Trend Micro..."

---------------------------------------------------------------------
Dilbert's words of wisdom #18: Never argue with an idiot. They drag
you down to their level then beat you with experience.
---------------------------------------------------------------------
        OLTECO                    Ari Ollikainen
        P.O. BOX 20088            Networking Architecture and Technology
        Stanford, CA              Ari () OLTECO com
        94309-0088                415.517.3519

For archives see:
http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: