W32.Gibe.C@mm

Printer Friendly Page

Discovered: March 16, 2003
Updated: February 13, 2007 11:44:28 AM
Also Known As: W32.HLLW.Begbie@mm, I-Worm.Gibe.d [KAV]
Type: Worm
Systems Affected: Windows
CVE References: CVE-2001-0154



W32.Gibe.C@mm is a variant of W32.Gibe.B@mm . The worm attempts to spread through Email, KaZaA, and IRC. It uses Microsoft Outlook to email itself to all the contacts in the Windows Address Book. W32.Gibe.C@mm will display a message titled, Microsoft Internet Update Pack," if the computer has already been infected with this worm.

The email message has a randomly chosen subject, message, and attachment, which will have either a .exe or .zip file extension. W32.Gibe.C@mm may send itself to some specified new groups, whose URL are carried by the worm.

This threat is written in Microsoft Visual Basic (VB). The VB run-time libraries must be installed on the computer to execute.

NOTE : Definitions dated prior to March 19th, 2003 may detect this threat as W32.HLLW.Begbie@mm.

Antivirus Protection Dates

  • Initial Rapid Release version March 17, 2003
  • Latest Rapid Release version March 17, 2003
  • Initial Daily Certified version March 17, 2003
  • Latest Daily Certified version March 17, 2003
  • Initial Weekly Certified release date March 19, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Robert X Wang

Discovered: March 16, 2003
Updated: February 13, 2007 11:44:28 AM
Also Known As: W32.HLLW.Begbie@mm, I-Worm.Gibe.d [KAV]
Type: Worm
Systems Affected: Windows
CVE References: CVE-2001-0154


The differences between W32.Gibe.C@mm and W32.Gibe.B@mm are that W32.Gibe.C@mm:

  1. Displays the following message and then quits, if the computer has already been infected with W32.Gibe.C@mm:




  2. Attempts to compress itself as the following, if W32.Gibe.C@mm finds WinRAR or WinZIP:

    %Windir%\<random.name>.zip

    NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt).
  3. Displays a random fake message and asks you to choose Yes or No to continue.

    NOTE: Regardless of whether you choose Yes or No, the worm will always infect the computer.
  4. Attempts to terminate several specified processes, including some security products, system utilities, and so on.
  5. Copies itself to the %Temp%\<random.name> folder as one of the following filenames, with a .exe extension:
    • IEPatch
    • KaZaA upload
    • Porn
    • Sex
    • Xbox Emulator
    • PS2 Emulator
    • XP update
    • XXX Video
    • Sick Joke
    • Free X
    • My naked sister
    • Hallucinogenic Screensaver
    • Cooking with Cannabis
    • Magic Mushrooms Growing
    • Worm_Gibe.C Cleaner
    • ICQ upgrade
    • KaZaA spyware patch
    • BillGates
    • WinZip
    • Download Accelerator
    • Hackers Guide
    • Psycho

      NOTE: %Temp% is a variable. The worm locates the temporary folder and copies itself to a subfolder in that location. If the worm finds WinRAR or WinZIP, it will attempt to compress itself as one of the aforementioned filenames with a .zip extension.

  6. Copies itself as:
    • %Windir%\<random.name>.exe
    • %Windir%\<random.name>.dll

  7. Inserts the file to the system:

    %Windir%\<random.name>.exe

    NOTE: This file is the pure viral body. The file size is about 96 KB.
  8. Inserts the following data files to the system:
    • %Windir%\Swen.lst
    • %\Temp%\Searched.lst

      NOTE: These files are pure data file, and therefore Symantec Security Products do not detect them. Manually remove these files.

  9. Adds the value:

    <random.name> %windir%\<random.name>.exe

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Run
  10. Sets the default value of the following registry keys:

    HKEY_CLASS_ROOT\exefile\shell\open\command\
    HKEY_CLASS_ROOT\comfile\shell\open\command\
    HKEY_CLASS_ROOT\batfile\shell\open\command\
    HKEY_CLASS_ROOT\piffile\shell\open\command\

    to:

    "%Windir%\<random.name>.exe" %1 %*
  11. Sets the default value of the registry key:

    HKEY_CLASS_ROOT\regfile\shell\open\command\

    to:

    "%windir%\<random.name>.exe" failure
  12. Sets the default value of the registry key:

    HKEY_CLASS_ROOT\scrfile\shell\open\command\

    to:

    "%Windir%\<random.name>.exe" %1 /S
  13. Creates a subkey with a random name in the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Internet Settings\

    and adds several entries in that location.
  14. Disables several specified programs, such as Regedit.exe. Instead, the worm will display the following fake message, and then quit.

    Exception

    Following error occured:
    Memory access violation in module kernel32 at %random.memory.address%

    NOTE: %random.memory.address% is a variable, it's one of the following strings

    0167:0faffd9c
    0167:bff7a138
    0167:0ab38e9f
    0167:e12c93ff

For more information, refer to the W32.Gibe.B@mm writeup.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Robert X Wang

Discovered: March 16, 2003
Updated: February 13, 2007 11:44:28 AM
Also Known As: W32.HLLW.Begbie@mm, I-Worm.Gibe.d [KAV]
Type: Worm
Systems Affected: Windows
CVE References: CVE-2001-0154


The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

The process you follow to remove W32.Gibe.C@mm depends on whether the worm has actually executed on your computer.

Executed
If W32.Gibe.C@mm, or W32.HLLW.Begbie@mm, has already executed on your computer, removal can be very difficult. When this worm runs, it modifies all the registry keys that control the running of the executable files. As a result, when you try to run any program, including an antivirus program or the registry editor, the worm runs as well. This will effectively prevent you from removing the worm.

In this situation, you can do one of the following:

  • Re-install the operating system. This is the easiest solution in most cases.
  • Edit the .reg files from DOS (Windows 95/98/Me only). This is extremely complex and should only be attempted by individuals with an expert knowledge level DOS. You may want to obtain the services of a computer consultant if you decide to use this method.

Not executed
If W32.Gibe.C@mm, or W32.HLLW.Begbie@mm, has not yet executed, and the Symantec antivirus product detects it when received by email, or when the worm attempts to run, delete it. Then, run a full system scan to make sure that no malicious files remain.


Writeup By: Robert X Wang