Content

W32/Riba@M

Type
Virus
SubType
Email
Discovery Date
04/08/2008
Length
Minimum DAT
5269 (04/08/2008)
Updated DAT
5269 (04/08/2008)
Minimum Engine
5.1.00
Description Added
04/08/2008
Description Modified
04/11/2008 12:21 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

When executed, it drops the following files:

  • %Downloaded Program Files%\gbieh.dll  [Zero Kilobytes in size]
  • %Downloaded Program Files%\gbiehabh.dll  [Zero Kilobytes in size]
  • %Downloaded Program Files%\gbiehCef.dll  [Zero Kilobytes in size]
  • %Downloaded Program Files%\GbpDist.dll  [Zero Kilobytes in size]
  • %System%\GBIEHCEF.exe [Detected as W32/Riba@M]
  • %System%\OSSMTP.dll [Innocent File]
  • %System%\OSSMTPP.exe [Detected as W32/Riba@M]
  • %System%\OSSMTPPPO.gpc [Copy of the worm]
  • %System%\scpsssh2.dll [Zero Kilobytes in size]

Note:

  • %System% is a variable location and by default it refers to the “C:\Windows\System32” folder
  • %Downloaded Program Files% is a variable location and by default refers to
    “C:\Windows\Downloaded Program Files folder”

The worm then creates the following registry entry to ensure its execution at system startup:

  • Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
    Explorer = "%System%\GBIEHCEF.exe"

The worm then attempts to connect to http://joedson2008.brinkster.net/[Removed]. This could be to download more malware.

Miscellaneous Info:

  • The worm has an SMTP engine which it could use to try and send mails to set of predetermined mail addresses with a copy of the worm
  • This worm uses the windows “Email Icon” as its icon  [See Image Below]. This is to trick users into opening it, effectively executing the worm


 

Symptoms

Presence of files and registry entries mentioned earlier.

Method of Infection

This worm can send a copy of itself as an attachment to email addresses. It could also spread manually, often under the premise that the executable is something beneficial. The worm may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This description is for a worm which is capable of spreading via email.

The characteristics of this worm with regards to the file names, port numbers used, files and folders created etc. will differ depending on the way in which the attacker had configured it. Hence, this is a general description.

Characteristics

Characteristics -

When executed, it drops the following files:

  • %Downloaded Program Files%\gbieh.dll  [Zero Kilobytes in size]
  • %Downloaded Program Files%\gbiehabh.dll  [Zero Kilobytes in size]
  • %Downloaded Program Files%\gbiehCef.dll  [Zero Kilobytes in size]
  • %Downloaded Program Files%\GbpDist.dll  [Zero Kilobytes in size]
  • %System%\GBIEHCEF.exe [Detected as W32/Riba@M]
  • %System%\OSSMTP.dll [Innocent File]
  • %System%\OSSMTPP.exe [Detected as W32/Riba@M]
  • %System%\OSSMTPPPO.gpc [Copy of the worm]
  • %System%\scpsssh2.dll [Zero Kilobytes in size]

Note:

  • %System% is a variable location and by default it refers to the “C:\Windows\System32” folder
  • %Downloaded Program Files% is a variable location and by default refers to
    “C:\Windows\Downloaded Program Files folder”

The worm then creates the following registry entry to ensure its execution at system startup:

  • Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
    Explorer = "%System%\GBIEHCEF.exe"

The worm then attempts to connect to http://joedson2008.brinkster.net/[Removed]. This could be to download more malware.

Miscellaneous Info:

  • The worm has an SMTP engine which it could use to try and send mails to set of predetermined mail addresses with a copy of the worm
  • This worm uses the windows “Email Icon” as its icon  [See Image Below]. This is to trick users into opening it, effectively executing the worm


 

Symptoms

Symptoms -

Presence of files and registry entries mentioned earlier.

Method of Infection

Method of Infection -

This worm can send a copy of itself as an attachment to email addresses. It could also spread manually, often under the premise that the executable is something beneficial. The worm may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A