My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Gibe.B@mm

LOW
LOW
155,648 bytes
( I-Worm.Gibe.b, WORM_GIBE.B, W32/Gibe.b@mm, W32/Gibe-D)

Symptoms

- File gibe.dll (in Windows folder, size: 155,648 bytes)
- File DX3DRndr.exe (in Windows folder, size: 73,728 bytes)
- File MSBugAdv.exe (in Windows folder, size: 24,576 bytes)
File WMSysDx.bin (in Windows folder, size: around 3,690 bytes)
- The registry entries:
[HKLM \Software\Microsoft\Windows\CurrentVersion\Run\DxLoad="%Windows%\DX3DRndr.exe"]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Messenger Setup\Coded="... by Begbie"]

Removal instructions:

- manual removal:
delete the following files:
gibe.dll (in Windows folder)
DX3DRndr.exe (in Windows folder)
MSBugAdv.exe (in Windows folder)
WMSysDx.bin (in Windows folder)
p??????.exe (in Windows or Windows\\Temp folder)
q??????.exe (in Windows or Windows\\Temp folder)
(? can be any random number, ex: p338431.exe)
remove the registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DxLoad]
(DxLoad value is "%Windows%\DX3DRndr.exe)

- automatic removal: let BitDefender delete files found infected.

Analyzed By

Patrik Vicol Bitdefender Virus Researcher

Technical Description:

Win32.Gibe.B@mm is an internet worm, which spreads mainly via e-mail, but also via Kazaa, Mirc and it has means to send copies of itself through the mapped network drives.
The worm usually comes as an e-mail. The subject and the body of the e-mail may vary, but the attachment is always 155,648 bytes long.
The worm may become active by running the infected attachment of an e-mail, or by running an infected file from the Mirc download folder, Kazaa, etc)
Once run, the worm verifies if it is not already running, by checking the existence of the next registry entry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Messenger Setup\Coded="... by Begbie"]
if the registry key is missing, the worm creates it and drops two executable files in the Windows folder:
DX3DRndr.exe (which collects e-mail addresses) and MSBugAdv.exe (the resident mass-mailer/smtp engine).
Using these two components, the worm collects e-mail addresses from the Outlook Address Book, Windows Address Book (.wab files) and temporary internet files in two files: MSerr.bak and MailViews.db. The worm can send itself to these collected e-mails, using Outlook or it's own SMTP engine, and it makes use of IFRAME and MIME exploits. Another file WMSysDx.bin is dropped in Windows folder containing addresses to some newsgroups.

Spreading through e-mail:
The subject of the infected e-mail may have one of these forms:
- as a fake Microsoft security patch bulletin, the worm can compose the subject using some of the next keywords:
FW:, FWD:, RE:, Check, Check out, Prove, Taste, Try, Look at, Take a look at, See, Watch, these, this, the, that, correction, security, update, patch, comes, from, Microsoft, M$ Corporation, January ... Oktober, November, December, Cumulative Patch, Latest, New, Last, Newest, Internet, Network, Security, Pack
For example, the subject may be:
FWD: Take a Look at this patch from Microsoft
- a fake undelivered e-mail, containing text like:
I'm afraid I wasn't able to deliver your message to the following addresses.
I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations.
- an e-mail containing the text:
Hi. This is the program.
The attachment may have this forms:
Update.exe, Patch.exe, Update???.exe or Patch???.exe (where ? may be any number, randomly generated)
Sometimes, the e-mail's header contains:
Outgoing mail is certified Virus Free.
Checked by ??? virus system
(where ??? may be: TrendMicro, F-Secure, Symantec, Kaspersky, NOD32, etc)
If the e-mail comes as a fake Microsoft update, and the user runs the infected attachment, some of the following messages may be displayed by the worm:
This update does not need to be installed on this system.
This will install Microsoft Security Update.
Do you wish to continue?
Update registry settings ...
Installation was cancelled.
This update has been successfully installed.
Installation is not complete. Are you sure you want to cancel?

Spreading through Kazaa:
The worm finds Kazaa shared folder through the registry, and copies itself there.
It can also create a new shared folder, through the registry, located in Windows\Temp folder and put a copy of itself there.

Spreading through MIRC:
The worm drops script.ini so it can send itself through Mirc, using one of these filenames:
IEPatch.exe
KaZaA upload.exe
Porn.exe
Sex.exe
XboX Emulator.exe
PS2 Emulator.exe
XP update.exe
XXX Video.exe
Sick Joke.exe
Free XXX Pictures.exe
My naked sister.exe
Hallucinogenic Screensaver.exe
Cooking with Cannabis.exe
Magic Mushrooms Growing.exe
I-Worm_Gibe Cleaner.exe

Spreading through network:
The worm tries to copy itself as WebLoader.exe in the startup folder on mapped network drives.
The remote path is "constructed" using some of the next keywords:
Windows, WinMe, Win95, Win98, \All Users, \Start menu\Programs\Startup, \Documents and Settings\, \Winnt\Profiles All Users Default User Administrator
The worm may even send itself to a series of newsgroups, contained in the file WMSysDx.bin.