McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Gibe.gen@MM

Characteristics

-- Update March 12, 2002 --
To date, more than 50% of the W32/Gibe samples received are damaged. The file header is corrupt. Therefore, the files do not run or infect. The 4190 DATs include detection of these corrupted files as W32/Gibe.dam.

This mass-mailing worm masquerades as a Microsoft Security Update patch (named Q216309.EXE) in order to dupe users into executing it.

The worm is intended to be able to mail itself using both Microsoft Outlook and the default SMTP server for the victim machine. However, in testing the worm was buggy, and did not successfully use Outlook to spread.

Once executed, the worm retrieves the default Internet Account details from the Registry, and creates the following keys, writing this data there:

• HKEY_LOCAL_MACHINE\Software\AVTech
• HKEY_LOCAL_MACHINE\Software\AVTech\Settings "Default Address"
     (default SMTP email address)
• HKEY_LOCAL_MACHINE\Software\AVTech\Settings "Default Server"
     (default SMTP server)
• HKEY_LOCAL_MACHINE\Software\AVTech\Settings "Installed"
     = ...by Begbie

The WINNETW.EXE component of the worm queries two Internet-based email address directories. It parses email addresses from the returned data, writing them to 02_N803.DAT (repeatedly).

The following two Registry keys are set in order to run the worm components:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run_
     "3dfx Acc" = %windir\GFXACC.EXE
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run_
     "LoadDBackup" = %windir\BCTOOL.EXE

Upon restarting the machine, BCTOOL.EXE runs, mailing the worm to all the email addresses listed in 02_N803.DAT, using the default SMTP server.

The final component of this worm, GFXACC.EXE, is a backdoor Trojan, opening port 12378 on the infected machine. This component is detected as BackDoor-ABJ by the indicated DATs.

Symptoms

1. Presence of the following files:

• %windir%\BCTOOL.EXE (32,768 bytes)
• %windir%\WINNETW.EXE (20,480 bytes)
• %windir%\Q216309.EXE (122,880 bytes)
• %windir%\VTNMSCCD.DLL (122,880 bytes)
• %windir%\GFXACC.EXE (20,480 bytes)
• %windir%\02_N803.DAT (variable)

2. Port 12378 open.

3. Existence of the following Registry key:

• HKEY_LOCAL_MACHINE\Software\AVTech

Method of Infection

This virus spreads via email masquerading as a Microsoft security update file Q216309.EXE. Executing this file infects the local machine:

The following files are dropped:

• %windir%\BCTOOL.EXE
• %windir%\WINNETW.EXE
• %windir%\VTNMSCCD.DLL
• %windir%\GFXACC.EXE

Modifications to the Registry are made in order to execute the virus components (BCTOOL.EXE and GFXACC.EXE) at system startup.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

• W32/Gibe.dam

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Gibe.gen@MM

Characteristics

Characteristics -

-- Update March 12, 2002 --
To date, more than 50% of the W32/Gibe samples received are damaged. The file header is corrupt. Therefore, the files do not run or infect. The 4190 DATs include detection of these corrupted files as W32/Gibe.dam.

This mass-mailing worm masquerades as a Microsoft Security Update patch (named Q216309.EXE) in order to dupe users into executing it.

The worm is intended to be able to mail itself using both Microsoft Outlook and the default SMTP server for the victim machine. However, in testing the worm was buggy, and did not successfully use Outlook to spread.

Once executed, the worm retrieves the default Internet Account details from the Registry, and creates the following keys, writing this data there:

• HKEY_LOCAL_MACHINE\Software\AVTech
• HKEY_LOCAL_MACHINE\Software\AVTech\Settings "Default Address"
     (default SMTP email address)
• HKEY_LOCAL_MACHINE\Software\AVTech\Settings "Default Server"
     (default SMTP server)
• HKEY_LOCAL_MACHINE\Software\AVTech\Settings "Installed"
     = ...by Begbie

The WINNETW.EXE component of the worm queries two Internet-based email address directories. It parses email addresses from the returned data, writing them to 02_N803.DAT (repeatedly).

The following two Registry keys are set in order to run the worm components:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run_
     "3dfx Acc" = %windir\GFXACC.EXE
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run_
     "LoadDBackup" = %windir\BCTOOL.EXE

Upon restarting the machine, BCTOOL.EXE runs, mailing the worm to all the email addresses listed in 02_N803.DAT, using the default SMTP server.

The final component of this worm, GFXACC.EXE, is a backdoor Trojan, opening port 12378 on the infected machine. This component is detected as BackDoor-ABJ by the indicated DATs.

Symptoms

Symptoms -

1. Presence of the following files:

• %windir%\BCTOOL.EXE (32,768 bytes)
• %windir%\WINNETW.EXE (20,480 bytes)
• %windir%\Q216309.EXE (122,880 bytes)
• %windir%\VTNMSCCD.DLL (122,880 bytes)
• %windir%\GFXACC.EXE (20,480 bytes)
• %windir%\02_N803.DAT (variable)

2. Port 12378 open.

3. Existence of the following Registry key:

• HKEY_LOCAL_MACHINE\Software\AVTech

Method of Infection

Method of Infection -

This virus spreads via email masquerading as a Microsoft security update file Q216309.EXE. Executing this file infects the local machine:

The following files are dropped:

• %windir%\BCTOOL.EXE
• %windir%\WINNETW.EXE
• %windir%\VTNMSCCD.DLL
• %windir%\GFXACC.EXE

Modifications to the Registry are made in order to execute the virus components (BCTOOL.EXE and GFXACC.EXE) at system startup.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

• W32/Gibe.dam