McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Gibe.b (AVP)

• W32/Gibe-D (Sophos)

Characteristics

McAfee products proactively detect this threat as New Worm when scanning with program heuristics enabled, using the 4168 - 4249 DAT files.

This worm (a new variant of W32/Gibe@MM) is written in Visual Basic and propagates through various channels:

1. Mass-mailing (message mimics a Microsoft Security Update)
2. Network shares (copies itself as WEBLOADER.EXE to startup folder on mapped drives)
3. IRC (via dropped SCRIPT.INI file)
4. KaZaa peer-to-peer file sharing network

Strings within the worm suggest it may also be intended to propagate via sharing itself through KaZaa file-sharing networks, and via sending itself to Newsgroups. This information will be updated once analysis is complete.

Mass-Mailing

The worm is intended to mail itself to all entries in the Outlook Address Book (Contacts list) and Windows Address Book (WAB). Email addresses are also harvested from temporary internet files (these addresses are written to file %WINDIR%\MSERR.BAK).

The worm uses both Outlook and its own SMTP engine to construct outgoing messages. Outgoing messages may be formatted to mimic a Microsoft Security Update. Various subject lines are used, with or without a FW:, FWD: or RE: prefix. For example:

• FWD: Prove these security update from Microsoft
• Re: Look at this patch from Microsoft
• Take a look at this patch from M$ Corporation

The attachment name also varies - UPDATE$$$.EXE or PATCH$$$.EXE (where $$$ are 3 random digits). For example: PATCH107.EXE, UPDATE989.EXE, UPDATE802.EXE.

Strings within the worm suggest that when it constructs outgoing messages using its own SMTP engine, it exploits two Internet Explorer vulnerabilities (IFRAME and incorrect MIME header) in order to run itself when the recipient previews the email (on unpatched systems). See Microsoft Security Bulletin (MS01-020) for more information and a patch concerning these exploits.

An example message is shown below:

Subject: Look at the patch from M$ Corporation
Attachment: UPDATE989.EXE (155,648 bytes)
Body:
----- Original message follows ----- Microsoft Customer this is the latest version of security update, the "February 2003, Cumulative Patch" update which eliminates all known security vulnerabilities affecting Internet Explorer, Outlook and Outlook Express as well as five newly discovered vulnerabilities. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run executable on your system. This update includes the functionality of all previously released patches. System requirements: Win 9x/Me/2000/NT/XP This update applies to: Microsoft Internet Explorer, version 4.01 and later Microsoft Outlook, version 8.00 and later Microsoft Outlook Express, version 4.01 and later Recommendation: Customers should install the patch at the earliest opportunity. How to install: Run attached file. Click Yes on displayed dialog box. How to use: You don't need to do anything after installing this item. Microsoft Technical Support is available at http://support.microsoft.com/ For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security Contact us at http://www.microsoft.com/isapi/goregwiz.asp?target=/contactus/contactus.asp Please do not reply to this message. It was sent from an unmonitored e-mail address and we are unable to respond to any replies. Thank you for using Microsoft products.

Network Share Propagation

The worm attempts to copy itself to the startup folder on mapped network drives. It uses a series of hardcoded strings to construct various paths to such folders, and if the folder exists, the worm copies itself there as WEBLOADER.EXE. The remote path is constructed from the following components:

1. Windows, WinMe, Win95 or Win98
2. \All Users
3. \Start menu\Programs\Startup
4. \Documents and Settings\
5. \Winnt\Profiles
6. All Users
7. Default User
8. Administrator

For example:

• R:\Documents and Settings\All Users\Start Menu\Programs\Startup
• R:\Windows\Start Menu\Programs\Startup
• R:\Win95\All Users\Start Menu\Programs\Startup

IRC propagation

The worm drops a SCRIPT.INI file in order to spread via IRC channels when the mIRC client is next started. SCRIPT.INI is detected as MIRC/Generic by McAfee products using the 4164 DATs or greater.

The worm may spread over IRC with one of the following filenames:

• IEPatch.exe
• KaZaA upload.exe
• Porn.exe
• Sex.exe
• XboX Emulator.exe
• PS2 Emulator.exe
• XP update.exe
• XXX Video.exe
• Sick Joke.exe
• Free XXX Pictures.exe
• My naked sister.exe
• Hallucinogenic Screensaver.exe
• Cooking with Cannabis.exe
• Magic Mushrooms Growing.exe
• I-Worm_Give Cleaner.exe

KaZaa network propagation

The worm retrieves the specified KaZaa shared folder from the registry and copies itself to that location, using the aforementioned filenames for IRC propagation. Additionally, the worm creates a new KaZaa shared folder, via the registry, which points to a folder created in the WINDOWS TEMP (%Temp%) directory. This folder uses a random name (such as mtjs.446) and contains similarly named worm executable files.

Symptoms

Existence of the following files in %WinDir%:

• DX3DRndr.exe (73,728 bytes)
• gibe.dll (155,648 bytes)
• MSBugAdv.exe (24,576 bytes)
• Update.exe (155,648 bytes)
• WMSysDx.bin (3,691 bytes)

Existence of the following Registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Messenger Setup
"Coded" = ... by Begbie


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"DxLoad" = C:\WINNT\DX3DRndr.exe

Method of Infection

When executed on the victim machine, the worm copies itself multiple times to the local disk:

The following files are dropped:

• DX3DRndr.exe (73,728 bytes) - mailing component
• gibe.dll (155,648 bytes) - copy of the worm
• MSBugAdv.exe (24,576 bytes) - harvests email addresses, retrieves/displays 'Contact Us' page for Microsoft
• Update.exe or Update989.exe (155,648 bytes) - copy of the worm
• WMSysDx.bin (3,691 bytes) - text file containing list of remote servers

A copy of the worm is also written to the system temp folder, with one of the following filenames (this is the copy that is intended to share via IRC):

• IEPatch.exe
• KaZaA upload.exe
• Porn.exe
• Sex.exe
• XboX Emulator.exe
• PS2 Emulator.exe
• XP update.exe
• XXX Video.exe
• Sick Joke.exe
• Free XXX Pictures.exe
• My naked sister.exe
• Hallucinogenic Screensaver.exe
• Cooking with Cannabis.exe
• Magic Mushrooms Growing.exe
• I-Worm_Give Cleaner.exe

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"DxLoad" = C:\WINNT\DX3DRndr.exe

The following Registry key is added under which various configuration settings are stored:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Messenger Setup

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Gibe.b (AVP)

• W32/Gibe-D (Sophos)

Characteristics

Characteristics -

McAfee products proactively detect this threat as New Worm when scanning with program heuristics enabled, using the 4168 - 4249 DAT files.

This worm (a new variant of W32/Gibe@MM) is written in Visual Basic and propagates through various channels:

1. Mass-mailing (message mimics a Microsoft Security Update)
2. Network shares (copies itself as WEBLOADER.EXE to startup folder on mapped drives)
3. IRC (via dropped SCRIPT.INI file)
4. KaZaa peer-to-peer file sharing network

Strings within the worm suggest it may also be intended to propagate via sharing itself through KaZaa file-sharing networks, and via sending itself to Newsgroups. This information will be updated once analysis is complete.

Mass-Mailing

The worm is intended to mail itself to all entries in the Outlook Address Book (Contacts list) and Windows Address Book (WAB). Email addresses are also harvested from temporary internet files (these addresses are written to file %WINDIR%\MSERR.BAK).

The worm uses both Outlook and its own SMTP engine to construct outgoing messages. Outgoing messages may be formatted to mimic a Microsoft Security Update. Various subject lines are used, with or without a FW:, FWD: or RE: prefix. For example:

• FWD: Prove these security update from Microsoft
• Re: Look at this patch from Microsoft
• Take a look at this patch from M$ Corporation

The attachment name also varies - UPDATE$$$.EXE or PATCH$$$.EXE (where $$$ are 3 random digits). For example: PATCH107.EXE, UPDATE989.EXE, UPDATE802.EXE.

Strings within the worm suggest that when it constructs outgoing messages using its own SMTP engine, it exploits two Internet Explorer vulnerabilities (IFRAME and incorrect MIME header) in order to run itself when the recipient previews the email (on unpatched systems). See Microsoft Security Bulletin (MS01-020) for more information and a patch concerning these exploits.

An example message is shown below:

Subject: Look at the patch from M$ Corporation
Attachment: UPDATE989.EXE (155,648 bytes)
Body:
----- Original message follows ----- Microsoft Customer this is the latest version of security update, the "February 2003, Cumulative Patch" update which eliminates all known security vulnerabilities affecting Internet Explorer, Outlook and Outlook Express as well as five newly discovered vulnerabilities. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run executable on your system. This update includes the functionality of all previously released patches. System requirements: Win 9x/Me/2000/NT/XP This update applies to: Microsoft Internet Explorer, version 4.01 and later Microsoft Outlook, version 8.00 and later Microsoft Outlook Express, version 4.01 and later Recommendation: Customers should install the patch at the earliest opportunity. How to install: Run attached file. Click Yes on displayed dialog box. How to use: You don't need to do anything after installing this item. Microsoft Technical Support is available at http://support.microsoft.com/ For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security Contact us at http://www.microsoft.com/isapi/goregwiz.asp?target=/contactus/contactus.asp Please do not reply to this message. It was sent from an unmonitored e-mail address and we are unable to respond to any replies. Thank you for using Microsoft products.

Network Share Propagation

The worm attempts to copy itself to the startup folder on mapped network drives. It uses a series of hardcoded strings to construct various paths to such folders, and if the folder exists, the worm copies itself there as WEBLOADER.EXE. The remote path is constructed from the following components:

1. Windows, WinMe, Win95 or Win98
2. \All Users
3. \Start menu\Programs\Startup
4. \Documents and Settings\
5. \Winnt\Profiles
6. All Users
7. Default User
8. Administrator

For example:

• R:\Documents and Settings\All Users\Start Menu\Programs\Startup
• R:\Windows\Start Menu\Programs\Startup
• R:\Win95\All Users\Start Menu\Programs\Startup

IRC propagation

The worm drops a SCRIPT.INI file in order to spread via IRC channels when the mIRC client is next started. SCRIPT.INI is detected as MIRC/Generic by McAfee products using the 4164 DATs or greater.

The worm may spread over IRC with one of the following filenames:

• IEPatch.exe
• KaZaA upload.exe
• Porn.exe
• Sex.exe
• XboX Emulator.exe
• PS2 Emulator.exe
• XP update.exe
• XXX Video.exe
• Sick Joke.exe
• Free XXX Pictures.exe
• My naked sister.exe
• Hallucinogenic Screensaver.exe
• Cooking with Cannabis.exe
• Magic Mushrooms Growing.exe
• I-Worm_Give Cleaner.exe

KaZaa network propagation

The worm retrieves the specified KaZaa shared folder from the registry and copies itself to that location, using the aforementioned filenames for IRC propagation. Additionally, the worm creates a new KaZaa shared folder, via the registry, which points to a folder created in the WINDOWS TEMP (%Temp%) directory. This folder uses a random name (such as mtjs.446) and contains similarly named worm executable files.

Symptoms

Symptoms -

Existence of the following files in %WinDir%:

• DX3DRndr.exe (73,728 bytes)
• gibe.dll (155,648 bytes)
• MSBugAdv.exe (24,576 bytes)
• Update.exe (155,648 bytes)
• WMSysDx.bin (3,691 bytes)

Existence of the following Registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Messenger Setup
"Coded" = ... by Begbie


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"DxLoad" = C:\WINNT\DX3DRndr.exe

Method of Infection

Method of Infection -

When executed on the victim machine, the worm copies itself multiple times to the local disk:

The following files are dropped:

• DX3DRndr.exe (73,728 bytes) - mailing component
• gibe.dll (155,648 bytes) - copy of the worm
• MSBugAdv.exe (24,576 bytes) - harvests email addresses, retrieves/displays 'Contact Us' page for Microsoft
• Update.exe or Update989.exe (155,648 bytes) - copy of the worm
• WMSysDx.bin (3,691 bytes) - text file containing list of remote servers

A copy of the worm is also written to the system temp folder, with one of the following filenames (this is the copy that is intended to share via IRC):

• IEPatch.exe
• KaZaA upload.exe
• Porn.exe
• Sex.exe
• XboX Emulator.exe
• PS2 Emulator.exe
• XP update.exe
• XXX Video.exe
• Sick Joke.exe
• Free XXX Pictures.exe
• My naked sister.exe
• Hallucinogenic Screensaver.exe
• Cooking with Cannabis.exe
• Magic Mushrooms Growing.exe
• I-Worm_Give Cleaner.exe

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"DxLoad" = C:\WINNT\DX3DRndr.exe

The following Registry key is added under which various configuration settings are stored:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Messenger Setup

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A