Home / malwarePDF  

Win32.Gibe.A@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Gibe.A@mm is also known as W32.Gibe@mm, W32/Gibe@mm.

Explanation :

The virus is an executable mass-mailer that uses the e-mail client Microsoft Outlook in order to send itself to the user's contacts stored in the address book and to e-mail addresses found by scanning .htm, .html, .asp and .php files.

It comes as an attachment to an e-mail message in the following format (resembling a Microsoft security bulletin):

From:
"Microsoft Corporation Security Center"
To:
"Microsoft Customer" <'customer@yourdomain.com'>
Subject:
Internet Security Update
Reply-To:

Attachement:
q216309.exe (executable file, 122880 bytes)
Body:

Microsoft Customer,
this is the latest version of security update, the
[update which eliminates all]
known security vulnerabilities affecting Internet Explorer and
MS Outlook/Express as well as six new vulnerabilities, and is
discussed in Microsoft Security Bulletin MS02-005. Install now to
protect your computer from these vulnerabilities, the most serious of which
could allow an attacker to run code on your computer.

Description of several well-know vulnerabilities:

- "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability.
If a malicious user sends an affected HTML e-mail or hosts an affected
e-mail on a Web site, and a user opens the e-mail or visits the Web site,
Internet Explorer automatically runs the executable on the user's computer.

- A vulnerability that could allow an unauthorized user to learn the location
of cached content on your computer. This could enable the unauthorized
user to launch compiled HTML Help (.chm) files that contain shortcuts to
executables, thereby enabling the unauthorized user to run the executables
on your computer.

- A new variant of the "Frame Domain Verification" vulnerability could enable a
malicious Web site operator to open two browser windows, one in the Web site's
domain and the other on your local file system, and to pass information from
your computer to the Web site.

- CLSID extension vulnerability. Attachments which end with a CLSID file extension
do not show the actual full extension of the file when saved and viewed with
Windows Explorer. This allows dangerous file types to look as though they are simple,
harmless files - such as JPG or WAV files - that do not need to be blocked.

System requirements:
Versions of Windows no earlier than Windows 95.

This update applies to:
Versions of Internet Explorer no earlier than 4.01
Versions of MS Outlook no earlier than 8.00
Versions of MS Outlook Express no earlier than 4.01

How to install
Run attached file q216309.exe

How to use
You don't need to do anything after installing this item.

For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below.
http://www.microsoft.com/windows/ie/downloads/critical/default.asp
If you have some questions about this article contact us at rdquest12@microsoft.com
Thank you for using Microsoft products.

With friendly greetings,
MS Internet Security Center.
----------------------------------------
----------------------------------------
Microsoft is registered trademark of Microsoft Corporation.
Windows and Outlook are trademarks of Microsoft Corporation.

When the user runs the attached file, a confirmation will be requested for installing the "security update" (actually, the virus):



While the virus displays an installation progress dialog (after the user agrees to the installation):



.... it drops two copies of itself (q216309.exe in the Windows folder and vtnmsccd.dll in the Windows System folder) which are used for creating attachments to sent messages. It also creates the entries described above in the HKEY_LOCAL_MACHINESoftwareAVTechSettings registry key.

It also drops the files BcTool.exe, GfxAcc.exe, and WinNetw.exe in the Windows folder (the former two are registered to run at each Windows start-up by creating the two entries in the "HKEY_LOCAL_MACHINESoftwareMicrosoftCurrentVersionRun" registry key as described in the Symptomps section above).

WinNetw.exe, BcTool.exe and GfxAcc.exe are run immediately after virus "installation".
WinNetw.exe is the virus component responsible for searching the "target" e-mail addresses (in Address Book and Internet files with the extensions htm, html, asp and php) and putting them down in the 02_N803.dat file. BcTool.exe sends e-mail messages in the format described above to those addresses. GfxAcc.exe is a backdoor program that may allow remote access to the computer; it listens to TCP port 12378.

Last update 21 November 2011

 

TOP