Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Gibe.A

Win32/Gibe.A is a worm spreading as an email file attachment.  It arrives as an email message from Microsoft Corporation Security Center and its subject is "Internet Security Update".  In an attachment of the message there is a file q216309.exe containing the worm code 122880 bytes in size.  The body of the message id formed by the following text:

Microsoft Customer,
this is the latest version of security update, the known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities, and is discussed in Microsoft Security Bulletin MS02-005. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run code on your computer.
Description of several well-know vulnerabilities:
- "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability. If a malicious user sends an affected HTML e-mail or hosts an affected e-mail on a Web site, and a user opens the e-mail or visits the Web site, Internet Explorer automatically runs the executable on the user's computer.
- A vulnerability that could allow an unauthorized user to learn the location of cached content on your computer. This could enable the unauthorized user to launch compiled HTML Help (.chm) files that contain shortcuts to executables, thereby enabling the unauthorized user to run the executables on your computer.
- A new variant of the "Frame Domain Verification" vulnerability could enable a malicious Web site operator to open two browser windows, one in the Web site's domain and the other on your local file system, and to pass information from your computer to the Web site.
- CLSID extension vulnerability. Attachments which end with a CLSID file extension do not show the actual full extension of the file when saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are simple, harmless files - such as JPG or WAV files - that do not need to be blocked.

System requirements:
Versions of Windows no earlier than Windows 95.

This update applies to:
Versions of Internet Explorer no earlier than 4.01
Versions of MS Outlook no earlier than 8.00
Versions of MS Outlook Express no earlier than 4.01

How to install
Run attached file q216309.exe

How to use
You don't need to do anything after installing this item.


For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below.
http://www.microsoft.com/windows/ie/downloads/critical/default.asp
If you have some questions about this article contact us at rdquest12@microsoft.com
Thank you for using Microsoft products.
With friendly greetings,
MS Internet Security Center.
----------------------------------------
----------------------------------------
Microsoft is registered trademark of Microsoft Corporation.
Windows and Outlook are trademarks of Microsoft Corporation.

Upon running the file q216309.exe the worm is installed into the system.  It creates files q216309.exe, BcTool.exe, WinNetw.exe and GfxAcc.exe in the directory where the operating system Windows is installed.  In the subdirectory SYSTEM of that directory it creates the file vtnmsccd.dll which is identical with the file q216309.exe.  In the system registry it creates keys HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadDBackUp with value "C:\WINDOWS\BcTool.exe" and HKLM\Software\Microsoft\Windows\CurrentVersion\Run\3Dfx Acc with value "C:\WINDOWS\GFXAcc.exe".  In doing this the worm ensures that it will be activated again at the operating system restart.  The worm also creates the key HKLM\Software\AVTech\Settings\Installed with value "... by Begbie".  Finally the worm tries to send out its copies to all addresses found in the files with extensions htm, html, php and asp in the Microsoft Outlook address book.  The file GfxAcc.exe contains a Trojan horse.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.