1. /
  2. Security Response/
  3. W32.Gibe@mm

W32.Gibe@mm - Removal

Risk Level 2: Low

Discovered:
March 4, 2002
Updated:
February 13, 2007 11:50:21 AM
Also Known As:
W32/Gibe@mm, WORM_GIBE.A, W32/Gibe-A, I-Worm.Gibe, W32/Gibe.A@mm, Win32.Gibe.A, W32/Gibe@MM
Type:
Trojan Horse, Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

The preferred way to remove this worm is to use the W32.Gibe@mm Removal Tool. If for any reason you cannot obtain the tool, you must remove the worm manually.

To remove this worm:
  1. Update your virus definitions.
  2. Restart the computer in Safe mode.
  3. Run a full system scan and delete files that are detected as W32.Gibe@mm, and then delete the 02_N803.dat file.
  4. Remove the key and values that the worm added to the registry.

NOTE: Windows Me and Windows XP users should turn off System Restore. This feature, which is enabled by default, is used by Windows Me/XP to restore files on your computer in case they become damaged. When a computer is infected with a virus, it is possible that the virus could be backed up by System Restore. By default, Windows prevents System Restore from being modified by outside programs. As a result, there is the possibility that you could accidentally restore a virus-infected file, or that on-line scanners would detect the virus in that location. For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles:
To update virus definitions:
Obtain the most recent virus definitions. There are two ways to do this:
  • Run LiveUpdate. LiveUpdate is the easiest way to obtain virus definitions. These virus definitions have undergone full quality assurance testing by Symantec Security Response and are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
  • Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions have undergone full quality assurance testing by Symantec Security Response. They are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.

    Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.
To restart in Safe mode:
All Windows 32-bit operating systems except Windows NT can be restarted in Safe mode. Read the document for your operating system.
To delete the worm files:
  1. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
  2. Run a full system scan.
  3. Delete all files that are detected as W32.Gibe@mm.
  4. Using Windows Explorer, delete the \Windows\02_N803.dat file.

To edit the registry:

CAUTION: We strongly recommend that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to back up the Windows registry for instructions.
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  4. In the right pane, delete the following values:

    LoadDBackUp C:\Windows\BcTool.exe
    3Dfx Acc C:\Windows\GFXACC.exe

  5. Navigate to and delete the key

    HKEY_LOCAL_MACHINE\Software\AVTech
  6. Click Registry, and click Exit.


Writeup By: Gor Nazaryan

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver