W32/Gibe Malicious Code
Last Updated: March 13, 2002
A complete revision history can be found at the end of this file.
The CERT/CC has received numerous reports of a piece of malicious code, written for the Windows platform, commonly known as W32/Gibe. W32/Gibe spreads via email disguised as a Microsoft security bulletin and patch. A user must execute the attached file in order to be infected. The payload is non-destructive, but a backdoor is installed that may allow an intruder access to the system.
W32/Gibe is a Windows binary executable written in Visual Basic that is spreading via email. The email appears to be from Microsoft; however, Microsoft does not distribute patches via email. The Microsoft software distribution policy can be viewed at http://www.microsoft.com/technet/security/policy/swdist.asp
The email appears as the following:
From: Microsoft Corporation Security Center <email@example.com>
To: Microsoft Customer <'firstname.lastname@example.org'>
Subject: Internet Security Update
- this is the latest version of security update, the "7 Mar 2002 Cumulative Patch" update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities, and is discussed in Microsoft Security Bulletin MS02-005. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run code on your computer.
Description of several well-know vulnerabilities:
- "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability. If a malicious user sends an affected HTML e-mail or hosts an affected e-mail on a Web site, and a user opens the e-mail or visits the Web site, Internet Explorer automatically runs the executable on the user's computer.
- A vulnerability that could allow an unauthorized user to learn the location of cached content on your computer. This could enable the unauthorized user to launch compiled HTML Help (.chm) files that contain shortcuts to executables, thereby enabling the unauthorized user to run the executables on your computer.
- A new variant of the "Frame Domain Verification" vulnerability could enable a malicious Web site operator to open two browser windows, one in the Web site's domain and the other on your local file system, and to pass information from your computer to the Web site.
- CLSID extension vulnerability. Attachments which end with a CLSID file extension do not show the actual full extension of the file when saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are simple, harmless files - such as JPG or WAV files - that do not need to be blocked.
Versions of Windows no earlier than Windows 95.
This update applies to:
Versions of Internet Explorer no earlier than 4.01
Versions of MS Outlook no earlier than 8.00
Versions of MS Outlook Express no earlier than 4.01
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below.
If you have some questions about this article contact us at email@example.com
Thank you for using Microsoft products.
With friendly greetings,
MS Internet Security Center.
Microsoft is registered trademark of Microsoft Corporation.
Windows and Outlook are trademarks of Microsoft Corporation.
The email message created by W32/Gibe tries to convince users that the attached file is patch supplied by Microsoft. The attached file is in fact a copy of the malicious code.
The attached file has the following characteristics:
File name: q216309.exe
File size: 122880
When the attached file containing the malicious code is executed, it appears as though it is installing a Microsoft Security Update. It displays several dialog boxes during this process. The malicious code continues to execute regardless of the user's responses to the displayed dialog boxes. (Clicking "Cancel" will not stop the malicious code from executing.)
During execution, W32/Gibe creates the following files in the Windows root directory of the local system:
- Q216309.exe (a copy of the malicious code)
- Vtnmsccd.dll (a copy of the malicious code)
- BcTool.exe (mass-mailing component)
- WinNetW.exe (searches for email addresses)
- GFXacc.exe (backdoor trojan)
The worm also creates the file 02_N803.dat in the Windows directory to store email addresses collected from the Microsoft Outlook address book and various other files on the local system.
The following values are added to the registry to ensure that the backdoor and mass-mailing functions run each time the system restarts:
- LoadDBackUp = C:\Windows\BcTool.exe
- 3Dfx Acc = C:\Windows\GFXacc.exe
W32/Gibe also creates the registry key:
- Installed = ...by Begbie
- Default Address = (default email address)
- Default Server = (default SMTP server)
If the user runs the attached file again, it displays a dialog box indicating that the patch has already been applied.
W32/Gibe installs a backdoor (GFXacc.exe), which listens on port 12378/tcp. This may allow an intruder to gain access to the system and execute arbitrary commands.
In addition, W32/Gibe mass-mails copies of itself to addresses found on the victim host. The victim and targeted sites may experience an increased load on the mail server when the malicious code is propagating.
Remove infected files from the system
If the attached file has not been executed, it should be safe to simply delete the message and attachment from your email client.
If the malicious code has run, it's possible to get rid of W32/Gibe by deleting all of its components from an infected system. It should be noted that this is an incomplete process; it will not remove the entries in the system registry. If possible, it is best to run an anti-virus product to repair the system and remove the associated files.
Configure email clients to block executable attachments
Many email clients can be configured to prevent users from opening potentially malicious executable attachments while reading mail.
Run and maintain an anti-virus product
It is important for users to update their anti-virus software. Most anti-virus software vendors have released updated information, tools, or virus databases to help detect and recover from W32/Gibe. A list of vendor-specific anti-virus information can be found in Appendix A.
Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available.
Exercise caution when opening attachments
Exercise caution when receiving email with attachments. Users should be suspicious of unexpected attachments regardless of their origin. In general, users should also always scan files received through email with an anti-virus product.
The following section of the "Home Network Security" document provides advice on handling email attachments securely:
Filter the email or use a firewall
Sites can use email filtering techniques to delete messages containing subject lines known to contain the malicious code, or they can filter all attachments.
Central Command, Inc.
Command Software Systems
The Microsoft PSS Security Response Team Alert for this issue can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/gibe.asp The alert also tells how to contact Microsoft for free support for this sort of issue.
Outlook XP and Outlook 2000 and 98 with the Outlook Email Security Update are not vulnerable to this virus as they would automatically block the .exe attachment from being opened. More information on the Outlook Email Security Update can be found here: http://www.microsoft.com/office/ork/2000/journ/OutSecUpdate.htm
Norman Data Defense Systems
Author(s): Brian B. King
Copyright 2002 Carnegie Mellon University.
March 12, 2002: Initial release March 13, 2002: Added statement from Microsoft