Fw: Virus in fake e-mail from Microsoft!

[Guest guest]

> 3/12/2002:

>

> From the Symantec web site at

> http://securityresponse.symantec.com/avcenter/venc/data/w32.gibemm (DOT) html

>

> W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP engine

to

> spread. This worm arrives in an email message--which is disguised as a

> Microsoft Internet Security Update--as the attachment Q216309.exe.

>

> Payload:

> Large scale e-mailing: Sends to addresses found in Microsoft Outlook

Address

> book and by searching of .htm, .html, .asp, and .php files. Compromises

> security settings: Installs a Backdoor Trojan which allows remote access

to

> the infected system

>

> Distribution:

> Subject of email: Internet Security Update

> Name of attachment: Q216309.exe

> Size of attachment: 122,880 bytes

> Ports: 12378

>

>

> Technical description:

>

> The fake message, which is not from Microsoft, has the following

> characteristics:

>

> From: Microsoft Corporation Security Center

> Subject: Internet Security Update

> Message:

> Microsoft Customer,

> this is the latest version of security update, the update which eliminates

> all known security vulnerabilities affecting Internet Explorer and MS

> Outlook/Express as well as six new vulnerabilities

> .

> .

> .

> How to install

> Run attached file q216309.exe

> How to use

> You don't need to do anything after installing this item.

> .

> .

> .

> Attachment: Q216309.exe

>

>

> The attached file, Q216309.exe, is written in Visual Basic; it contains

> other worm components inside itself. When the attached file is executed,

it

> does the following:

> It creates the following files:

> \Windows\Q216309.exe (122,880 bytes). This is the whole package containing

> the worm.

> \Windows\Vtnmsccd.dll (122,880 bytes). This file is the same as

Q216309.exe.

> \Windows\BcTool.exe (32,768 bytes). This is the worm component that

spreads

> using Microsoft Outlook and SMTP.

> \Windows\GfxAcc.exe (20,480 bytes). This is the Backdoor Trojan component

of

> the worm that opens port 12378.

> \Windows\02_N803.dat (size varies). This is the data file that the worm

> creates to store email addresses that it finds.

> \Windows\WinNetw.exe (20,480 bytes). This is the component that searches

for

> email addresses and writes them to 02_N803.dat.

>

> NOTE: Norton AntiVirus detects all of these files as W32.Gibe@mm except

the

> 02_N803.dat. file, which contains only data.

>

> Next, the worm then adds the following values:

> LoadDBackUp C:\Windows\BcTool.exe

> 3Dfx Acc C:\Windows\GFXACC.exe

> to the registry key

> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

> The worm also creates the key

> HKEY_LOCAL_MACHINE\Software\AVTech\Settings

> and adds the following values to that key:

> Installed ... by Begbie

> Default Address

> Default Server

>

> Finally, BcTool.exe attempts to send the \Windows\Q216309.exe file to

email

> addresses in the Microsoft Outlook address book, and to addresses

> that it found in .htm, .html, .asp, and .php files and wrote to the

> 02_N803.dat file.

>

> For removal instructions, please see

> http://securityresponse.symantec.com/avcenter/venc/data/w32.gibemm (DOT) html.

>

> Users of McAffee VirusScan can go to

> http://vil.nai.com/vil/content/v_99377.htm for more information.

>

> <!--

> M. , Ph.D., www.KM.net

> Related information at:

> www.BioAnth.org, www.MedAnth.org, www.IGHC.org,

> www.Prehistory.org & www.Plagiocephaly.org

> -->