Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Gibe.A@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity MEDIUM MEDIUM
Payload Installs a backdoor component.
Detection files published 06 Mar 0020 03:00:00
Description created 10 Mar 2002 03:00:00
Description updated 16 Jan 2003 07:36:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Gibe.A@mm

Spreading

The worm arrives in an email pretending to be a patch from Microsoft.

(Image not available)


The attachment's file name looks as if it is a legitimate Microsoft Security Update. Microsoft, however, would never send any patches out as an e-mail attachment.

When run, it will display an update window that looks as if it might belong to a Microsoft install utility.

(Image not available)


While this happens, it will copy itself to the Windows directory as Q216309.EXE, and to the System directory as VTNMSCCD.DLL. It will then change registry and drop a series of helper components to the disk.

The helper components are:


WINNETW.EXE (20480 bytes) : The address collecting component. This collects email addresses and saves them to a data file called 02_N803.DAT.

BCTOOLS.EXE (32768 bytes): The mailing component. This does the mailing of the worm to the addresses saved in the 02_N803.DAT and found in web pages (HTM, HTML, ASP and PHP files).

The worm attempts two different styles of mailing. One is through direct SMTP mail, and one is through Microsoft Outlook. The Outlook mailing seems to be buggy and nonfunctional. The worm will also often send corrupted copies of itself, these copies are not infectious. The file size of these corrupted copies will usually be 122823 bytes.

GFXACC.EXE (20480 bytes) : A backdoor component. This sets up a listen on port 12378.

The worm installs a number of registry keys in order to be started at bootup:


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run LoadDBackUp = %WINDIR%\BCTOOL.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 3dfx Acc = %WINDIR%\GFXACC.EXE

Some entries are also set up for the worm's own bookkeeping, under the key
HKEY_LOCAL_MACHINE\Software\AVTech\Settings.

Payload Details

n/a

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:12