W32/Gibe-F

Please read the instructions on how to remove the W32/Gibe-F worm and ensure your system is not vulnerable to reinfection.

W32/Gibe-F is a worm which spreads by emailing itself via its own SMTP engine to addresses extracted from various sources on the victim's drives (e.g. MBX and DBX files). The worm also spreads using the KaZaA peer-to-peer shared folders, via IRC channels and will copy itself to the Startup folder of mapped
network drives. W32/Gibe-F may also attempt to spread via usenet newsgroups (NNTP).

W32/Gibe-F will attempt to get a user to enter email account details by displaying a fake error dialog box with fields for entering user name, password, email address and server names.

If the worm is run with a filename which starts with a P,Q,U or I (regardless of the case) the W32/Gibe-F displays the message

"Microsoft Internet Update Pack
This update does not need to be installed on this system" or

"This will install Microsoft Security Update. Do you wish to continue?"

and may also pretend to be an installation package by displaying an
installation window with the following messages in the title bar:

"Searching for installed components ..."
"Extracting files ..."
"Copying files ..."
"Updating registry ..."

Emails constructed by the worm have the following characteristics:

From: may be the bona fide victim's name or may be randomly constructed from the following

unknown
Microsoft
Support
Assistance
Services
Bulletin
Customer
Public
Technical
Center
Department
Section
Division
Security
Network
Internet
Program
Corporation
Microsoft
MS
Domain
Server
Receiver
Recipient
Client
Receiver
Recipient
Puremail
America
Netmail
Freemail
Bigfoot
Rocketmail
Routine
Program
Daemon
Automat
Engine
Service
Mailer
master
System
Service
Delivery
Storage
Message
Email
Postmaster
Administrator

and

bulletin
confidence
advisor
updates
technet
support,
newsletters
ms
msn
microsoft
msdn
.com
.net

(e.g. MS Support Department <random>@support.microsoft.com)

To: randomly constructed from the following

User
Client
Consumer
Partner
Customer
Commercial
Corporation
Microsoft
MS

Subject line: randomly constructed from the following

Corp.
Corporation
comes
which
Internet Explorer
Windows
update
package
correction
corrective
security
critical
internet
important
these
Install
Apply
Watch
Take a look at
Look at
Try on
Taste
Prove
Check out
Check
Upgrade
Update
Critical
Latest
Newest
Current
M$
MS
from
comes
came
which
this
that
these
the
See
Watch
Use
Apply

Message text: randomly constructed from the following

MS
Microsoft
Customer,
this is the latest version of security update, the
, Cumulative Patch update which
This update includes the functionality
of all previously released patches.
computer
system
on your
executable
to run
malicious user
attacker
the most serious of which could
allow an
from these vulnerabilities
maintain the security of your computer
protect your computer
continue keeping your computer secure
Install now to
vulnerabilities
newly discovered
as well as three
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
eliminates
resolves

the attached file (EXE, COM, PIF, BAT, SCR or ZIP) may have a randomly generated name or may be randomly chosen from the following

PATCH
UPDATE
UPGRADE
INSTALL

Alternatively, W32/Gibe-F may attempt to mimic a mail delivery failure message. The subject line and message text will then be constructed from the following

Message follows:
mail
message
Undelivered
Undeliverable
to one or more destinations.
to the following addresses:
the message returned below could not be delivered
I wasn't able to deliver your message
I'm afraid
I'm sorry to have to inform you that
I'm sorry
This is the qmail program
Hi.
Notice
Report
Announcement
Advice
Letter
Failure
Abort
Error
Bug
User unknown
Mailer
Sender
Returned To
Message
Mail
Returned
SUBJECT:
domain
server
home
mx
your
user
receiver
recipient
client
Receiver
Recipient W32/Gibe-F is a worm which spreads by emailing itself via its own SMTP engine to addresses extracted from various sources on the victim's drives (e.g. MBX and DBX files). The worm also spreads using the KaZaA peer-to-peer shared folders, via IRC channels and will copy itself to the Startup folder of mapped
network drives. W32/Gibe-F may also attempt to spread via usenet newsgroups (NNTP).

W32/Gibe-F will attempt to get a user to enter email account details by displaying a fake error dialog box with fields for entering user name, password, email address and server names.

If the worm is run with a filename which starts with a P,Q,U or I (regardless of the case) the W32/Gibe-F displays the message

"Microsoft Internet Update Pack
This update does not need to be installed on this system" or

"This will install Microsoft Security Update. Do you wish to continue?"

and may also pretend to be an installation package by displaying an
installation window with the following messages in the title bar:

"Searching for installed components ..."
"Extracting files ..."
"Copying files ..."
"Updating registry ..."

If W32/Gibe-F detects the installation of a debugger active in memory it displays the message "Try to pull my legs?".

The worm copies itself to the Windows folder as a randomly-named lowercase executable (e.g. jlfsm.exe) and adds an entry to the registry at

HKLM\Software\Microsoft\Windows\CurrentVersion\Run to run itself on system restart.

The worm also changes the entries in the registry at:

HKCR\exefile\shell\open\command
HKCR\regfile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\piffile\shell\open\command
HKCR\scrfile\shell\open\command
HKCR\scrfile\shell\config\command

so that it is run before EXE, COM, PIF, BAT, SCR files and to display a false error message (e.g. "Error occurred Memory access violation in module kernel32 at :") when REG files are opened.

The worm sets several entries in the registry to signify installation, confirm KaZaA infection and to prevent REGEDIT.EXE from running.

W32/Gibe-F may also create a file called SWEN1.DAT in the Windows folder containing a list of several IP addresses and domain names which may be NNTP servers.

W32/Gibe-F may attempt to exploit a vulnerability in Microsoft's software which allows automatic execution of attachments while viewing an email message. Microsoft issued a patch which reportedly fixes this vulnerability in 2001. The patch is available from www.microsoft.com/technet/security/bulletin/MS01-027.asp. (This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.)

Emails constructed by the worm have the following characteristics:

From: may be the bona fide victim's name or may be randomly constructed from the following

unknown
Microsoft
Support
Assistance
Services
Bulletin
Customer
Public
Technical
Center
Department
Section
Division
Security
Network
Internet
Program
Corporation
Microsoft
MS
Domain
Server
Receiver
Recipient
Client
Receiver
Recipient
Puremail
America
Netmail
Freemail
Bigfoot
Rocketmail
Routine
Program
Daemon
Automat
Engine
Service
Mailer
master
System
Service
Delivery
Storage
Message
Email
Postmaster
Administrator

and

bulletin
confidence
advisor
updates
technet
support,
newsletters
ms
msn
microsoft
msdn
.com
.net

(e.g. MS Support Department <random>@support.microsoft.com)

To: randomly constructed from the following

User
Client
Consumer
Partner
Customer
Commercial
Corporation
Microsoft
MS

Subject line: randomly constructed from the following

Corp.
Corporation
comes
which
Internet Explorer
Windows
update
package
correction
corrective
security
critical
internet
important
these
Install
Apply
Watch
Take a look at
Look at
Try on
Taste
Prove
Check out
Check
Upgrade
Update
Critical
Latest
Newest
Current
M$
MS
from
comes
came
which
this
that
these
the
See
Watch
Use
Apply

Message text: randomly constructed from the following

MS
Microsoft
Customer,
this is the latest version of security update, the
, Cumulative Patch update which
This update includes the functionality
of all previously released patches.
computer
system
on your
executable
to run
malicious user
attacker
the most serious of which could
allow an
from these vulnerabilities
maintain the security of your computer
protect your computer
continue keeping your computer secure
Install now to
vulnerabilities
newly discovered
as well as three
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
eliminates
resolves

the attached file (EXE, COM, PIF, BAT, SCR or ZIP) may have a randomly generated name or may be randomly chosen from the following

PATCH
UPDATE
UPGRADE
INSTALL

Alternatively, W32/Gibe-F may attempt to mimic a mail delivery failure message. The subject line and message text will then be constructed from the following

Message follows:
mail
message
Undelivered
Undeliverable
to one or more destinations.
to the following addresses:
the message returned below could not be delivered
I wasn't able to deliver your message
I'm afraid
I'm sorry to have to inform you that
I'm sorry
This is the qmail program
Hi.
Notice
Report
Announcement
Advice
Letter
Failure
Abort
Error
Bug
User unknown
Mailer
Sender
Returned To
Message
Mail
Returned
SUBJECT:
domain
server
home
mx
your
user
receiver
recipient
client
Receiver
Recipient

W32/Gibe-F copies itself to the KaZaA shared folder and to the Windows folder with various EXE or ZIP filenames randomly contructed from the following(e.g "WINZIP UPLOAD.EXE"):

Virus Generator
Magic Mushrooms Growing
Cooking with Cannabis
Hallucinogenic Screensaver
My naked sister
XXX Pictures
Sick Joke",
XXX Video
XP update
Emulator PS2
XboX Emulator
HardPorn
Jenna Jameson
Hotmail hacker
Yahoo hacker
AOL hacker
fixtool
cleaner
removal tool
remover
Sircam
Bugbear
installer
upload
hacked
key generator
Windows Media Player
GetRight FTP
Download Accelerator
Winamp
WinZip
WinRar
KaZaA media desktop
Kazaa Lite

W32/Gibe-F attempts to terminate various processes related to anti-virus or security software (e.g. sweep95, zonealarm and blackice).