Sécurité Proactive
W32/Gibe.A@mm
Threat risk
Threat risk medium
|
Detection files published:
07 March 2002 |
Description created:
2002-03-11 |
Description updated:
2003-01-16 |
|
Alias:
|
Spreading mechanism
| |
|
Payload:
Installs a backdoor component. | ||
Summary
This is an email worm written in Visual Basic. File size is 122880 bytes.Spreading description
Email characteristics:
Subject: Internet Security Update
Body: Microsoft Customer, this is the latest version of security update, the "7 Mar 2002 Cumulative Patch" update which eliminates all known security vulnerabilities...
(Lengthy patch description removed)
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
Attachment: Q216309.EXE
The worm arrives in an email pretending to be a patch from Microsoft.
The attachment's file name looks as if it is a legitimate Microsoft Security Update. Microsoft, however, would never send any patches out as an e-mail attachment.
When run, it will display an update window that looks as if it might belong to a Microsoft install utility.
While this happens, it will copy itself to the Windows directory as Q216309.EXE, and to the System directory as VTNMSCCD.DLL. It will then change registry and drop a series of helper components to the disk.
The helper components are:
WINNETW.EXE (20480 bytes) : The address collecting component. This collects email addresses and saves them to a data file called 02_N803.DAT.
BCTOOLS.EXE (32768 bytes): The mailing component. This does the mailing of the worm to the addresses saved in the 02_N803.DAT and found in web pages (HTM, HTML, ASP and PHP files).
The worm attempts two different styles of mailing. One is through direct SMTP mail, and one is through Microsoft Outlook. The Outlook mailing seems to be buggy and nonfunctional. The worm will also often send corrupted copies of itself, these copies are not infectious. The file size of these corrupted copies will usually be 122823 bytes.
GFXACC.EXE (20480 bytes) : A backdoor component. This sets up a listen on port 12378.
The worm installs a number of registry keys in order to be started at bootup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run LoadDBackUp = %WINDIR%\BCTOOL.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 3dfx Acc = %WINDIR%\GFXACC.EXE
Some entries are also set up for the worm's own bookkeeping, under the key
HKEY_LOCAL_MACHINE\Software\AVTech\Settings.
Removal
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Utilisation | Titre | Commentaire |
|---|---|---|
| Stopper la propagation des virus sur les partages réseau | ||
| Cleaning of back-up folders on Windows Me and XP |
