Publications Catalog Historical Documents Authorized Users of "CERT" US-CERT Vulnerability Notes Database Vulnerability Disclosure Policy Courses

CERT^® Incident Note IN-2002-02

The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.

W32/Gibe Malicious Code

Release Date: March 12, 2002
Last Updated: March 13, 2002

A complete revision history can be found at the end of this file.

Systems Affected

Systems running Microsoft Windows

Overview

The CERT/CC has received numerous reports of a piece of malicious code, written for the Windows platform, commonly known as W32/Gibe. W32/Gibe spreads via email disguised as a Microsoft security bulletin and patch. A user must execute the attached file in order to be infected. The payload is non-destructive, but a backdoor is installed that may allow an intruder access to the system.

I. Description

W32/Gibe is a Windows binary executable written in Visual Basic that is spreading via email. The email appears to be from Microsoft; however, Microsoft does not distribute patches via email. The Microsoft software distribution policy can be viewed at http://www.microsoft.com/technet/security/policy/swdist.asp

The email appears as the following:

From: Microsoft Corporation Security Center <rdquest12@microsoft.com>
To: Microsoft Customer <'customer@yourdomain.com'>
Subject: Internet Security Update
Attachment: q216309.exe

Microsoft Customer,

this is the latest version of security update, the "7 Mar 2002 Cumulative Patch" update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities, and is discussed in Microsoft Security Bulletin MS02-005. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run code on your computer.

Description of several well-know vulnerabilities:

- "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability. If a malicious user sends an affected HTML e-mail or hosts an affected e-mail on a Web site, and a user opens the e-mail or visits the Web site, Internet Explorer automatically runs the executable on the user's computer.

- A vulnerability that could allow an unauthorized user to learn the location of cached content on your computer. This could enable the unauthorized user to launch compiled HTML Help (.chm) files that contain shortcuts to executables, thereby enabling the unauthorized user to run the executables on your computer.

- A new variant of the "Frame Domain Verification" vulnerability could enable a malicious Web site operator to open two browser windows, one in the Web site's domain and the other on your local file system, and to pass information from your computer to the Web site.

- CLSID extension vulnerability. Attachments which end with a CLSID file extension do not show the actual full extension of the file when saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are simple, harmless files - such as JPG or WAV files - that do not need to be blocked.

System requirements:
Versions of Windows no earlier than Windows 95.

This update applies to:
Versions of Internet Explorer no earlier than 4.01
Versions of MS Outlook no earlier than 8.00
Versions of MS Outlook Express no earlier than 4.01

How to install
Run attached file q216309.exe

How to use
You don't need to do anything after installing this item.

For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below.
http://www.microsoft.com/windows/ie/downloads/critical/default.asp
If you have some questions about this article contact us at rdquest12@microsoft.com

Thank you for using Microsoft products.

With friendly greetings,
MS Internet Security Center.
----------------------------------------
----------------------------------------
Microsoft is registered trademark of Microsoft Corporation.
Windows and Outlook are trademarks of Microsoft Corporation.

The email message created by W32/Gibe tries to convince users that the attached file is patch supplied by Microsoft. The attached file is in fact a copy of the malicious code.

The attached file has the following characteristics:

File name: q216309.exe
MD5: 739f917f746eb124514155cf36de5111
File size: 122880

When the attached file containing the malicious code is executed, it appears as though it is installing a Microsoft Security Update. It displays several dialog boxes during this process. The malicious code continues to execute regardless of the user's responses to the displayed dialog boxes. (Clicking "Cancel" will not stop the malicious code from executing.)

During execution, W32/Gibe creates the following files in the Windows root directory of the local system:

Q216309.exe (a copy of the malicious code)
Vtnmsccd.dll (a copy of the malicious code)
BcTool.exe (mass-mailing component)
WinNetW.exe (searches for email addresses)
GFXacc.exe (backdoor trojan)

The worm also creates the file 02_N803.dat in the Windows directory to store email addresses collected from the Microsoft Outlook address book and various other files on the local system.

The following values are added to the registry to ensure that the backdoor and mass-mailing functions run each time the system restarts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

LoadDBackUp = C:\Windows\BcTool.exe

3Dfx Acc = C:\Windows\GFXacc.exe

W32/Gibe also creates the registry key:

HKEY_LOCAL_MACHINE\Software\AVTech\

Installed = ...by Begbie

Default Address = (default email address)

Default Server = (default SMTP server)

If the user runs the attached file again, it displays a dialog box indicating that the patch has already been applied.

II. Impact

W32/Gibe installs a backdoor (GFXacc.exe), which listens on port 12378/tcp. This may allow an intruder to gain access to the system and execute arbitrary commands.

In addition, W32/Gibe mass-mails copies of itself to addresses found on the victim host. The victim and targeted sites may experience an increased load on the mail server when the malicious code is propagating.

III. Solution

Remove infected files from the system

If the attached file has not been executed, it should be safe to simply delete the message and attachment from your email client.

If the malicious code has run, it's possible to get rid of W32/Gibe by deleting all of its components from an infected system. It should be noted that this is an incomplete process; it will not remove the entries in the system registry. If possible, it is best to run an anti-virus product to repair the system and remove the associated files.

Configure email clients to block executable attachments

Many email clients can be configured to prevent users from opening potentially malicious executable attachments while reading mail.

Run and maintain an anti-virus product

It is important for users to update their anti-virus software. Most anti-virus software vendors have released updated information, tools, or virus databases to help detect and recover from W32/Gibe. A list of vendor-specific anti-virus information can be found in Appendix A.

Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available.

Exercise caution when opening attachments

Exercise caution when receiving email with attachments. Users should be suspicious of unexpected attachments regardless of their origin. In general, users should also always scan files received through email with an anti-virus product.

The following section of the "Home Network Security" document provides advice on handling email attachments securely:

http://www.cert.org/tech_tips/home_networks.html#IV-A-4

Filter the email or use a firewall

Sites can use email filtering techniques to delete messages containing subject lines known to contain the malicious code, or they can filter all attachments.

Appendix A - Vendor Information

Microsoft

The Microsoft PSS Security Response Team Alert for this issue can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/gibe.asp The alert also tells how to contact Microsoft for free support for this sort of issue.

Outlook XP and Outlook 2000 and 98 with the Outlook Email Security Update are not vulnerable to this virus as they would automatically block the .exe attachment from being opened. More information on the Outlook Email Security Update can be found here: http://www.microsoft.com/office/ork/2000/journ/OutSecUpdate.htm

Norman Data Defense Systems

http://www.norman.com/virus_info/w32_gibe_a_mm.shtml

Panda Software

http://service.pandasoftware.es/servlet/panda.pandaInternet.EntradaDatosInternet?
operacion=EV2FichaVirus&idVirusFicha=2627&pestanaFicha=1&idioma=2

Proland Software

http://www.pspl.com/virus_info/worms/gibe.htm

Sophos

http://www.sophos.com/virusinfo/analyses/w32gibea.html

Symantec

http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.gibe@mm.html

Trend Micro

http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_GIBE.A

You may wish to visit the CERT/CC's Computer Virus Resources Page located at:

http://www.cert.org/other_sources/viruses.html

Author(s): Brian B. King

This document is available from: http://www.cert.org/incident_notes/IN-2002-02.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Revision History

March 12, 2002: Initial release
March 13, 2002: Added statement from Microsoft

CERT® Incident Note IN-2002-02