interesting-people message

Subject: BEWARE! It's a WORM! Re: IP: The next step in malicious spam
From: David Farber <dfarber@earthlink.net>
To: ip-sub-1@majordomo.pobox.com
Date: Sat, 09 Mar 2002 13:44:32 -0400
-----Original Message-----
From: Ari Ollikainen <Ari@OLTECO.com>
Date: Sat, 09 Mar 2002 09:20:13 
To: farber@cis.upenn.edu
Subject: BEWARE! It's a WORM! Re: IP: The next step in malicious spam

>-----Original Message-----
>From: Joe Faber <joefaber@alumni.princeton.edu>
>Date: Sat, 09 Mar 2002 11:28:46
>To: <farber@cis.upenn.edu>
>Subject: The next step in malicious spam
>
>Dave,
>I'm used to ignoring spam, but this morning I woke up to find that I
>received no fewer than three 160K+ .exe attachments in my inbox 
>purporting to be from Microsoft. The were from the "Microsoft 
>Corporation Security Center" and used "Internet Security Update" as 
>their subject heading. The email explains that the attached patch is 
>the "5 Mar 2002 Cumulative Patch which eliminates all Ms 
>Outlook/Express as well as six new vulnerabilities" [sic]. It goes 
>on to list some of the specific vulnerabilities and system 
>requirements. They even provide a link to a Microsoft security 
>website (where I couldn't find any mention of the patch).

	Read the following http://zdnet.com.com/2100-1105-853235.html

	and act accordingly.

"...
Gibe worm poses as a Microsoft update

By Robert Vamosi
ZDNet Reviews & Solutions
March 6, 2002, 9:00 AM PT

What appears to be a new security update from Microsoft is actually a
clever attempt by a virus writer to spread a worm. Gibe (w32.gibe@mm)
is a nondestructive worm written in Visual Basic that attempts to
mass-mail itself to everyone in an address book. Fortunately, the
infected e-mail is plagued with spelling errors and should be easy to
spot. Because this worm is not destructive and only sends e-mail to
others, Gibe ranks as a 4 on the ZDNet Virus Meter.

[...]


The attached file is q216309.exe (122,880 bytes), which appears to be 
a Microsoft Knowledge Base entry (it is not).

Users of non-Windows systems are not affected by this worm. If a
Windows user opens the attached file, Gibe will make the following
changes to the Registry:

HKLMSoftwareAVTechSettingsDefault Address = (default address)
HKLMSoftwareAVTechSettingsDefaultServer = (default server)
HKLMSoftwareAVTechSettingsInstalled = ...by Begbie HKLMSoftwareMicrosoftWindows
CurrentVersionRun3dfx Acc = (path to gfxacc.exe) HKLMSoftwareMicrosoftWindows
CurrentVersionRunLoadDBackup = (path to bctool.exe)

These changes allow Gibe to install a backdoor Trojan horse that
becomes active every time the computer is rebooted. Gibe will also
create the following files in the Windows directory:

bctool.exe (32,768 bytes) - the mass-mailing component
winnetw.exe (20,480 bytes)- e-mail address finding component
q216309.exe (122,880 bytes  - a copy of the worm
vtnmsccd.dll (122,880 bytes) - a copy of the worm
gfxacc.exe (20,480 bytes) - the Trojan horse component

The file gfxacc.exe is the backdoor Trojan horse that could allow
malicious users into a PC. Alert users who monitor their systems with 
a firewall may notice unusual traffic on port 12387 as a result of 
Gibe.

Prevention

Users of Microsoft Outlook 2002 and users of Outlook 2000 who have 
installed the Security Update should be safe from the EXE attachment 
included with Gibe. Users who have not upgraded to Outlook 2002 or who
have not installed the Security Update for Outlook 2000 should do so.
In general, do not open attached files in e-mail without first saving
them to hard disk and scanning them with updated antivirus software. 
Contact your antivirus vendor to obtain the most current antivirus 
signature files that include Gibe.

Removal

A few antivirus software companies have updated their signature files 
to include this worm. This will stop the infection upon contact and 
in some cases will remove an active infection from your system. For 
more information, see McAfee, Sophos, Symantec, and Trend Micro..."

---------------------------------------------------------------------
Dilbert's words of wisdom #18: Never argue with an idiot. They drag
you down to their level then beat you with experience.
---------------------------------------------------------------------
        OLTECO                    Ari Ollikainen
        P.O. BOX 20088            Networking Architecture and Technology
        Stanford, CA              Ari@OLTECO.com
        94309-0088                415.517.3519

For archives see:
http://www.interesting-people.org/archives/interesting-people/