RootsWeb: AUS-VIC-WESTERN-DISTRICT-L [AUS-VIC-West] Yet another Virus Alert

AUS-VIC-WESTERN-DISTRICT-L Archives

Archiver > AUS-VIC-WESTERN-DISTRICT > 2002-03 > 1015490257

From: "Beryl OGorman" <>
Subject: [AUS-VIC-West] Yet another Virus Alert
Date: Thu, 7 Mar 2002 19:37:44 +1100

Microsoft Security Update - NOT! (Please direct any Virus discussion to individuals, not to the List.) Further information available from www.symantec.com W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP engine to spread. This worm arrives in an email message--which is disguised as a Microsoft Internet Security Update--as the attachment Q216309.exe. Also Known As: W32/Gibe@mm, WORM_GIBE.A, W32/Gibe-A Sends to addresses found in Microsoft Outlook Address book and by searching of .htm, .html, .asp, and .php files. a.. Compromises security settings: Installs a Backdoor Trojan which allows remote access to the infected system a.. a.. The fake message, which is not from Microsoft, has the following characteristics: From: Microsoft Corporation Security Center Subject: Internet Security Update Message: Microsoft Customer, this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities . . . How to install Run attached file q216309.exe How to use You don't need to do anything after installing this item. . . . Attachment: Q216309.exe The attached file, Q216309.exe, is written in Visual Basic; it contains other worm components inside itself. When the attached file is executed, it does the following: It creates the following files: a.. \Windows\Q216309.exe (122,880 bytes). This is the whole package containing the worm. b.. \Windows\Vtnmsccd.dll (122,880 bytes). This file is the same as Q216309.exe. c.. \Windows\BcTool.exe (32,768 bytes). This is the worm component that spreads using Microsoft Outlook and SMTP. d.. \Windows\GfxAcc.exe (20,480 bytes). This is the Backdoor Trojan component of the worm that opens port 12378. e.. \Windows\02_N803.dat (size varies). This is the data file that the worm creates to store email addresses that it finds. f.. \Windows\WinNetw.exe (20,480 bytes). This is the component that searches for email addresses and writes them to 02_N803.dat. NOTE: Norton AntiVirus detects all of these files as W32.Gibe@mm except the 02_N803.dat. file, which contains only data. Beryl O'Gorman Greensborough Victoria Australia List Admin

This thread:

[AUS-VIC-West] Yet another Virus Alert by "Beryl OGorman" <>