From
securityresponse.symantec.com/avcenter/...ata/w32.gibe@mm.html
The fake message, which is not from Microsoft, has the following
characteristics:
From: Microsoft Corporation Security Center
Subject: Internet Security Update
Message:
Microsoft Customer,
this is the latest version of security update, the update which eliminates
all known security vulnerabilities affecting Internet Explorer and MS
Outlook/Express as well as six new vulnerabilities
.
.
.
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
.
.
.
Attachment: Q216309.exe
The attached file, Q216309.exe, is written in Visual Basic; it contains
other worm components inside itself. When the attached file is executed, it
does the following:
It creates the following files:
a.. \Windows\Q216309.exe (122,880 bytes). This is the whole package
containing the worm.
b.. \Windows\Vtnmsccd.dll (122,880 bytes). This file is the same as
Q216309.exe.
c.. \Windows\BcTool.exe (32,768 bytes). This is the worm component that
spreads using Microsoft Outlook and SMTP.
d.. \Windows\GfxAcc.exe (20,480 bytes). This is the Backdoor Trojan
component of the worm that opens port 12378.
e.. \Windows\02_N803.dat (size varies). This is the data file that the
worm creates to store email addresses that it finds.
f.. \Windows\WinNetw.exe (20,480 bytes). This is the component that
searches for email addresses and writes them to 02_N803.dat.
NOTE: Norton AntiVirus detects all of these files as W32.Gibe@mm except the
02_N803.dat. file, which contains only data.
Next, the worm then adds the following values:
LoadDBackUp C:\Windows\BcTool.exe
3Dfx Acc C:\Windows\GFXACC.exe
to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The worm also creates the key
HKEY_LOCAL_MACHINE\Software\AVTech\Settings
and adds the following values to that key:
Installed ... by Begbie
Default Address
Default Server
Finally, BcTool.exe attempts to send the \Windows\Q216309.exe file to email
addresses in the Microsoft Outlook address book, and to addresses that it
found in .htm, .html, .asp, and .php files and wrote to the 02_N803.dat
file.
Removal instructions:
Delete files that are detected as W32.Gibe@mm, delete the 02_N803.dat file,
and remove the key and values that the worm added to the registry.
To remove this Trojan:
1. Obtain the most recent virus definitions. There are two ways to do
this:
a.. Run LiveUpdate. LiveUpdate is the easiest way to obtain virus
definitions. These virus definitions have undergone full quality assurance
testing by Symantec Security Response and are posted to the LiveUpdate
servers one time each week (usually Wednesdays) unless there is a major
virus outbreak. To determine whether definitions for this threat are
available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at
the top of this write-up.
b.. Download the definitions using the Intelligent Updater. Intelligent
Updater virus definitions have undergone full quality assurance testing by
Symantec Security Response. They are posted on U.S. business days (Monday
through Friday). They must be downloaded from the Symantec Security Response
Web site and installed manually. To determine whether definitions for this
threat are available by the Intelligent Updater, look at the Virus
Definitions (Intelligent Updater) line at the top of this write-up.
Intelligent Updater virus definitions are available here. For detailed
instructions on how to download and install the Intelligent Updater virus
definitions from the Symantec Security Response Web site, click here.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document How to
configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Gibe@mm.
5. Using Windows Explorer, delete the \Windows\02_N803.dat file.
To edit the registry:
CAUTION: We strongly recommend that you back up the registry before you make
any changes to it. Incorrect changes to the registry can result in permanent
data loss or corrupted files. Modify only the keys that are specified. Read
the document How to back up the Windows registry for instructions.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the following values:
LoadDBackUp C:\Windows\BcTool.exe
3Dfx Acc C:\Windows\GFXACC.exe
5. Navigate to and delete the key
HKEY_LOCAL_MACHINE\Software\AVTech
6. Click Registry, and click Exit.
--
(DISCLAIMER: The preceding message reflects the opinion of only 1 out of
billions of Internet and Newsgroup users. It does not reflect the opinions
of any businesses, clubs, organizations, religious groups, unions,
associations, companies, people, or small farm animals.)
securityresponse.symantec.com/avcenter/...ata/w32.gibe@mm.html
The fake message, which is not from Microsoft, has the following
characteristics:
From: Microsoft Corporation Security Center
Subject: Internet Security Update
Message:
Microsoft Customer,
this is the latest version of security update, the update which eliminates
all known security vulnerabilities affecting Internet Explorer and MS
Outlook/Express as well as six new vulnerabilities
.
.
.
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
.
.
.
Attachment: Q216309.exe
The attached file, Q216309.exe, is written in Visual Basic; it contains
other worm components inside itself. When the attached file is executed, it
does the following:
It creates the following files:
a.. \Windows\Q216309.exe (122,880 bytes). This is the whole package
containing the worm.
b.. \Windows\Vtnmsccd.dll (122,880 bytes). This file is the same as
Q216309.exe.
c.. \Windows\BcTool.exe (32,768 bytes). This is the worm component that
spreads using Microsoft Outlook and SMTP.
d.. \Windows\GfxAcc.exe (20,480 bytes). This is the Backdoor Trojan
component of the worm that opens port 12378.
e.. \Windows\02_N803.dat (size varies). This is the data file that the
worm creates to store email addresses that it finds.
f.. \Windows\WinNetw.exe (20,480 bytes). This is the component that
searches for email addresses and writes them to 02_N803.dat.
NOTE: Norton AntiVirus detects all of these files as W32.Gibe@mm except the
02_N803.dat. file, which contains only data.
Next, the worm then adds the following values:
LoadDBackUp C:\Windows\BcTool.exe
3Dfx Acc C:\Windows\GFXACC.exe
to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The worm also creates the key
HKEY_LOCAL_MACHINE\Software\AVTech\Settings
and adds the following values to that key:
Installed ... by Begbie
Default Address
Default Server
Finally, BcTool.exe attempts to send the \Windows\Q216309.exe file to email
addresses in the Microsoft Outlook address book, and to addresses that it
found in .htm, .html, .asp, and .php files and wrote to the 02_N803.dat
file.
Removal instructions:
Delete files that are detected as W32.Gibe@mm, delete the 02_N803.dat file,
and remove the key and values that the worm added to the registry.
To remove this Trojan:
1. Obtain the most recent virus definitions. There are two ways to do
this:
a.. Run LiveUpdate. LiveUpdate is the easiest way to obtain virus
definitions. These virus definitions have undergone full quality assurance
testing by Symantec Security Response and are posted to the LiveUpdate
servers one time each week (usually Wednesdays) unless there is a major
virus outbreak. To determine whether definitions for this threat are
available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at
the top of this write-up.
b.. Download the definitions using the Intelligent Updater. Intelligent
Updater virus definitions have undergone full quality assurance testing by
Symantec Security Response. They are posted on U.S. business days (Monday
through Friday). They must be downloaded from the Symantec Security Response
Web site and installed manually. To determine whether definitions for this
threat are available by the Intelligent Updater, look at the Virus
Definitions (Intelligent Updater) line at the top of this write-up.
Intelligent Updater virus definitions are available here. For detailed
instructions on how to download and install the Intelligent Updater virus
definitions from the Symantec Security Response Web site, click here.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document How to
configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Gibe@mm.
5. Using Windows Explorer, delete the \Windows\02_N803.dat file.
To edit the registry:
CAUTION: We strongly recommend that you back up the registry before you make
any changes to it. Incorrect changes to the registry can result in permanent
data loss or corrupted files. Modify only the keys that are specified. Read
the document How to back up the Windows registry for instructions.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the following values:
LoadDBackUp C:\Windows\BcTool.exe
3Dfx Acc C:\Windows\GFXACC.exe
5. Navigate to and delete the key
HKEY_LOCAL_MACHINE\Software\AVTech
6. Click Registry, and click Exit.
--
(DISCLAIMER: The preceding message reflects the opinion of only 1 out of
billions of Internet and Newsgroup users. It does not reflect the opinions
of any businesses, clubs, organizations, religious groups, unions,
associations, companies, people, or small farm animals.)
