Date: Thu, 21 Aug 2003 21:36:06 -0400 (EDT) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: Gibe Worm Masquerades As Microsoft Update ------------------------------------------------------ VIRUS ALERT: GIBE WORM MASQUERADES AS MICROSOFT UPDATE ------------------------------------------------------ The Gibe Worm first appeared in March 2002. Several new versions have appeared since then, but the most recent was back in March 2003 so it is an old virus by most standards. However we have seen a big resurgence of Gibe activity in recent days, hence this alert. The Gibe Worm infects PCs running all versions of the Microsoft Windows operating system. It does not infect Macintosh or UNIX computers. Gibe spreads primarily in the form of an infected file attached to e-mail that is formatted to mimic a Security Update message from Microsoft Corporation. Microsoft Corporation does provide e-mail notification of new patches and updates to customers who subscribe to their notification service. However Microsoft does not distribute the actual patches and updates via e-mail. Any e-mail containing a file attachment claiming to be a Microsoft patch or update is NOT from Microsoft. For Microsoft's official statement on this see: http://www.microsoft.com/technet/security/policy/swdist.asp If you receive e-mail that appears to be from Microsoft with a file attachment disguised as a security patch or update, delete the message and do not open the file attachment! The e-mail carrying the Gibe-infected file attachment is in the following format: Subject: Varies, but will imply that the message is about a security update from Microsoft. From Address: Varies, but will imply that the message is from Microsoft. Message Text: Varies, but is always similar to the following example: MS Corporation Consumer this is the latest version of security update, the "August 2003, Cumulative Patch" update which eliminates all known security vulnerabilities affecting Internet Explorer, Outlook and Outlook Express as well as five newly discovered vulnerabilities. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run executable on your system. This update includes the functionality of all previously released patches. (The message goes on to provide system requirements for the patch, installation instructions, links to security-related topics on the Microsoft web site, and a Microsoft copyright notice.) File Attachment: The filename varies, but in every example we have seen the filename extension is .exe or .EXE. IF YOU RECEIVE E-MAIL MATCHING THE ABOVE DESCRIPTION, DELETE IT. DO NOT OPEN THE FILE ATTACHMENT! How The Gibe Worm Spreads ------------------------- Via E-Mail: The primary method used by the Gibe Worm to spread itself to other PCs is infected e-mail, as described above. Via Network: Recent versions of the Gibe Worm also spread across local networks and the Internet via open network shares. Via IRC: Recent versions of the Gibe Worm can also spread via Internet Relay Chat when the miRC client is started up on an infected PC. The filenames spread via IRC are: - IEPatch.exe - KaZaA upload.exe - Porn.exe - Sex.exe - XboX Emulator.exe - PS2 Emulator.exe - XP update.exe - XXX Video.exe - Sick Joke.exe - Free XXX Pictures.exe - My naked sister.exe - Hallucinogenic Screensaver.exe - Cooking with Cannabis.exe - Magic Mushrooms Growing.exe - I-Worm_Give Cleaner.exe - Worm_Gibe.C Cleaner.exe - ICQ upgrade.exe - KaZaA spyware patch.exe - BillGates.exe - WinZip.exe - Download Accelerator.exe - Hackers Guide.exe - Psycho.exe Via KaZaA: If the infected PC has KaZaA file sharing enabled, recent versions of the Gibe Worm make multiple copies of itself in the shared file folder using some or all of the filenames listed above. It also creates a new KaZaA shared folder, via the registry, that points to a folder created in the WINDOWS TEMP (%Temp%) directory. This folder uses a random name and contains some or all of the filenames listed above. How To Protect Your PC Against Gibe Worm Infection -------------------------------------------------- o If you receive e-mail matching the above description, delete it. DO NOT open the file attachment. o If you have your PC configured for file sharing, review the security settings for all shared volumes. Allow access only from trusted PCs. o If you participate in IRC, do not accept files with names listed above. o If you use KaZaA peer-to-peer file sharing, do not download files with names listed above. o If you have anti-virus software on your PC, *and* if it is configured to scan incoming e-mail for viruses, *and* if it is configured to scan all file downloads, *and* if its virus description database is up to date enough to know about the Gibe Worm, then it will stop Gibe before it can infect your PC. We recommend that you update your virus description database at least once a week, although given the rate at which new PC viruses appear once a day would be even better. If you do not keep your virus description database up to date, then your anti-virus software is virtually useless. o In the final analysis you are your own best defence against virus infection. All it takes is a bit of common sense. If you receive a message containing a file attachment DO NOT open the attachment unless ALL of the following are true: - The sender is known to you. - You are expecting a file attachment from that person. - The sender clearly identifies the nature of the file attachment in the text of the message. If any one of those three statements is not true, delete the message. DO NOT open the file attachment. When in doubt, get in touch with the apparent sender to confirm that he/she actually sent the file attachment. o If you are offered a file download, be very suspicious of it unless you know the file's source and are able to verify that it is virus-free. How To Remove The Gibe Worm From An Infected PC ----------------------------------------------- If you have anti-virus software on your PC, update its virus description database and then run a scan of your entire hard disk. Check your anti-virus software vendor's Web site for specific instructions on removing a Gibe Worm infection. If you don't have anti-virus software, we strongly recommend that you install some. The two most popular anti-virus programs are McAfee Virus Scan from Network Associates (www.mcafee.com) and Norton AntiVirus from Symantec (www.symantec.com), but there are many others. Once you install anti-virus software, keep it up to date. Anti-virus programs all have some sort of built in updater function that downloads the latest virus information from the vendor's Web site. You should run the updater at least once a week. Otherwise your anti-virus software will not be able to identify and block new viruses. More Information About The Gibe Worm: ------------------------------------ The following URLs will take you to detailed information about Gibe on several well-known anti-virus Web sites: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=99377 http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100088 http://securityresponse.symantec.com/avcenter/venc/data/w32.gibe@mm.html http://securityresponse.symantec.com/avcenter/venc/data/w32.gibe.b@mm.html http://securityresponse.symantec.com/avcenter/venc/data/w32.gibe.c@mm.html http://www.sophos.com/virusinfo/analyses/w32gibea.html http://www.sophos.com/virusinfo/analyses/w32gibed.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_GIBE.A http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_GIBE.B -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. CONTACTS: -------- Web Site: http://www.bcpl.net Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 Domain Name Service Issues: dnsadmin@bcpl.net 410-887-6180 FAX: 410-887-2091