Win32.Gibe.B@mm( I-Worm.Gibe.b, WORM_GIBE.B, W32/Gibe.b@mm, W32/Gibe-D )
SYMPTOMS: - File gibe.dll (in Windows folder, size: 155,648 bytes)- File DX3DRndr.exe (in Windows folder, size: 73,728 bytes) - File MSBugAdv.exe (in Windows folder, size: 24,576 bytes) File WMSysDx.bin (in Windows folder, size: around 3,690 bytes) - The registry entries: [HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DxLoad=\"%Windows%\\DX3DRndr.exe\"] [HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Messenger Setup\\Coded=\"... by Begbie\"] TECHNICAL DESCRIPTION: Win32.Gibe.B@mm is an internet worm, which spreads mainly via e-mail, but also via Kazaa, Mirc and it has means to send copies of itself through the mapped network drives.The worm usually comes as an e-mail. The subject and the body of the e-mail may vary, but the attachment is always 155,648 bytes long. The worm may become active by running the infected attachment of an e-mail, or by running an infected file from the Mirc download folder, Kazaa, etc) Once run, the worm verifies if it is not already running, by checking the existence of the next registry entry: [HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Messenger Setup\\Coded=\"... by Begbie\"] if the registry key is missing, the worm creates it and drops two executable files in the Windows folder: DX3DRndr.exe (which collects e-mail addresses) and MSBugAdv.exe (the resident mass-mailer/smtp engine). Using these two components, the worm collects e-mail addresses from the Outlook Address Book, Windows Address Book (.wab files) and temporary internet files in two files: MSerr.bak and MailViews.db. The worm can send itself to these collected e-mails, using Outlook or it\'s own SMTP engine, and it makes use of IFRAME and MIME exploits. Another file WMSysDx.bin is dropped in Windows folder containing addresses to some newsgroups. Spreading through e-mail: The subject of the infected e-mail may have one of these forms: - as a fake Microsoft security patch bulletin, the worm can compose the subject using some of the next keywords: FW:, FWD:, RE:, Check, Check out, Prove, Taste, Try, Look at, Take a look at, See, Watch, these, this, the, that, correction, security, update, patch, comes, from, Microsoft, M$ Corporation, January ... Oktober, November, December, Cumulative Patch, Latest, New, Last, Newest, Internet, Network, Security, Pack For example, the subject may be: FWD: Take a Look at this patch from Microsoft - a fake undelivered e-mail, containing text like: I\'m afraid I wasn\'t able to deliver your message to the following addresses. I\'m sorry to have to inform you that the message returned below could not be delivered to one or more destinations. - an e-mail containing the text: Hi. This is the program. The attachment may have this forms: Update.exe, Patch.exe, Update???.exe or Patch???.exe (where ? may be any number, randomly generated) Sometimes, the e-mail\'s header contains: Outgoing mail is certified Virus Free. Checked by ??? virus system (where ??? may be: TrendMicro, F-Secure, Symantec, Kaspersky, NOD32, etc) If the e-mail comes as a fake Microsoft update, and the user runs the infected attachment, some of the following messages may be displayed by the worm: This update does not need to be installed on this system. This will install Microsoft Security Update. Do you wish to continue? Update registry settings ... Installation was cancelled. This update has been successfully installed. Installation is not complete. Are you sure you want to cancel? Spreading through Kazaa: The worm finds Kazaa shared folder through the registry, and copies itself there. It can also create a new shared folder, through the registry, located in Windows\\Temp folder and put a copy of itself there. Spreading through MIRC: The worm drops script.ini so it can send itself through Mirc, using one of these filenames: IEPatch.exe KaZaA upload.exe Porn.exe Sex.exe XboX Emulator.exe PS2 Emulator.exe XP update.exe XXX Video.exe Sick Joke.exe Free XXX Pictures.exe My naked sister.exe Hallucinogenic Screensaver.exe Cooking with Cannabis.exe Magic Mushrooms Growing.exe I-Worm_Gibe Cleaner.exe Spreading through network: The worm tries to copy itself as WebLoader.exe in the startup folder on mapped network drives. The remote path is \"constructed\" using some of the next keywords: Windows, WinMe, Win95, Win98, \\All Users, \\Start menu\\Programs\\Startup, \\Documents and Settings\\, \\Winnt\\Profiles All Users Default User Administrator The worm may even send itself to a series of newsgroups, contained in the file WMSysDx.bin. Removal instructions: - manual removal:delete the following files: gibe.dll (in Windows folder) DX3DRndr.exe (in Windows folder) MSBugAdv.exe (in Windows folder) WMSysDx.bin (in Windows folder) p??????.exe (in Windows or Windows\\Temp folder) q??????.exe (in Windows or Windows\\Temp folder) (? can be any random number, ex: p338431.exe) remove the registry key: [HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DxLoad] (DxLoad value is \"%Windows%\\DX3DRndr.exe) - automatic removal: let BitDefender delete files found infected. ANALYZED BY: Patrik VicolBitdefender Virus Researcher |