The file that spreads via e-mails is a dropper. It is a
155-kilobyte file written in Visual Basic. It is a dropper that
contains a few compressed files in its body.
When run, the dropper verifies if it is already installed. It
checks the following Registry key:
\Internet Settings\Messenger Setup]
If it finds the following subkey and its value:
"Coded" = "... by Begbie"
then it shows the following messagebox and stops its
Microsoft Internet Update Pack
This update does not need to be installed on this system.
If the dropper finds out that a computer is not infected yet, it
shows the following licence agreement:
ALL MICROSOFT PRODUCTS AND RELATED DOCUMENTS ARE
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND!
Microsoft and/or its respective suppliers hereby disclaim all
warranties and conditions with regard to this information,
including all warranties and conditions of merchantability,
whether express, implied or statutory, fitness for a particular
purpose, title and non-infringement. Microsoft does not warrant
that the functions for the software or code will meet your
requirements, or that the operation of the software or code will
be uninterrupted or error-free, or that defects in the software
or code can be corrected. Furthermore, Microsoft does not
warrant or make any representations regarding the use or the
results of the use of the software, code or related
documentation in terms of their correctness, accuracy,
reliability, or otherwise. No oral or written information or
advice given by Microsoft or its authorized representatives
shall create a warranty or in any way increase the scope of this
warranty. Should the software or code prove defective after
Microsoft has delivered the same, you, and you alone, shall
assume the entire cost associated with all necessary servicing,
repair or correction. In no event shall Microsoft and/or its
respective suppliers be liable for any special, indirect or
consequential damages or any damages whatsoever resulting from
loss of use, data or profits, whether in an action of contract,
negligence or other tortious action, arising out of or in
connection with the use or performance of software, documents,
provision of or failure to provide services, or information
available from the services.
Copyright c 2003 Microsoft Corporation, One Microsoft Way,
Redmond, Washington U.S.A. All rights reserved.
Then no matter what button a user clicked, the dropper copies
itself to temporary folder with one of the following names and
Free XXX Pictures
My naked sister
Cooking with Cannabis
Magic Mushrooms Growing
The dropper locates Kazaa file sharing client and copies itself
to its shared folders with the above listed names. The dropper
tries to enable file sharing (if it was disabled) by modifying
the special key in System Registry.
The dropper tries to infect computers via local network (LAN). It
accesses network drives and tries to locate the following folders
If such folder is located, the dropper drops the file named
WebLoader.exe to the following subfolder:
When a remote computer is restarted next time, it will become
infected. Additionally the dropper tries to locate startup
folders for users of NT-based operating systems. It looks for the
\Documents and Settings\All Users\Start menu\Programs\Startup
\Winnt\Profiles\All Users\Start menu\Programs\Startup
If such folders are found, the dropper copies itself there as
WebLoader.exe. As a result, remote computers will be infected
when they are restarted.
The dropper copies itself as GIBE.DLL to Windows folder on a
local computer. It also copies itself to Windows folder with a
randomly-generated name, for example P270904.EXE. The dropper
creates MSWinsck.OCX file in Windows system folder. This file is
a standard Visual Basic OCX component.
The worm dropper tries to spread via IRC. It locates and
overwrites the SCRIPT.INI file of mIRC client with its own script
that will send the worm's dropper located in a temporary folder
to all users who join the same channel where an infected person
The dropper creates its 3 additional components in Windows folder
as DX3DRndr.exe, MSBugAdv.exe and WMSysDx.bin files. It creates a
startup key for DX3DRndr.exe file in System Registry:
"DxLoad" = "%windir%\DX3DRndr.exe"
This file is the mass-mailing component of the worm. It sends the
worm's dropper to all found e-mail addresses.
The worm locates e-mail addresses by searching inside
MailViews.db file and Windows Address Book file. Also the worm
tries to look for e-mails in newsgroups. It reads newsgroup
messages and gets sender's e-mail addresses from them. The worm
checks e-mail messages for the following substrings:
If the above mentioned substring is found, the worm does not use
that e-mail address. The worm stores all found e-mail addresses
in MSErr.bak file that is located in Windows folder.
The worm randomly composes the sender's name, address, subject,
part of the message body and headers from different parts that
are hardcoded in the worm's body. The subject is composed from
the following parts:
Latest New Last Newest
Internet Microsoft Network
Pack Update Patch
For example it can be: 'Internet Security Pack'.
The sender's name is composed from the following parts:
MS Microsoft Corporation
Center Department Section Division
Customer Public Technical
Support Assistance Services
For example it can be 'Microsoft Public Support'. In some cases
the worm can compose the subject from the following parts:
FW: FWD: RE:
Check Check out Prove Taste Try Look at Take a look at Look at See Watch
this these the that
update patch pack
Microsoft M$ Corporation
For example it can be: 'FW: Check this security update which came
The sender's e-mail is composed from a few random letters and
numbers followed by domain name composed from the following
newsletters support technet updates advisor
msdn microsoft ms msn
For example it can be: 'email@example.com'.
The message body has plain text and HTML variants. The worm
checks current month and year and inserts it into the message
body. The plain text message looks like that:
this is the latest version of security update, the
"February 2003, Cumulative Patch" update which eliminates all
known security vulnerabilities affecting Internet Explorer,
Outlook and Outlook Express as well as five newly discovered
vulnerabilities. Install now to protect your computer from these
vulnerabilities, the most serious of which could allow an attacker to
run executable on your system. This update includes the functionality
of all previously released patches.
This update applies to:
Microsoft Internet Explorer, version 4.01 and later
Microsoft Outlook, version 8.00 and later
Microsoft Outlook Express, version 4.01 and later
Customers should install the patch at the earliest opportunity.
How to install:
Run attached file. Click Yes on displayed dialog box.
How to use:
You don't need to do anything after installing this item.
Microsoft Technical Support is available at
For security-related information about Microsoft products,
please visit the Microsoft Security Advisor web site at
Contact us at
Please do not reply to this message. It was sent from an unmonitored
e-mail address and we are unable to respond to any replies.
Thank you for using Microsoft products.
With friendly greetings,
Microsoft Public Support
=c2003 Microsoft Corporation. All rights reserved. The names of =
the actual companies and products mentioned herein =
may be the trademarks of their respective owners.
The worm's HTML message looks like that:
The worm can also generate fake bounced e-mail messages. The worm
can insert IFrame exploit code into its infected message to make
it start on recepient's computer automatically, however only
older unpatched versions of Internet Explorer and Outlook will be
In some cases the worm can add the following string:
Outgoing mail is certified Virus Free.
Checked by <name> anti-virus system (http://www.<name>.com
Release Date: <date>
In the <name> field the worm can put one of the following:
The worm is attached to the infected message as an EXE file with
a semi-randomly generated name. The name can start with 'Patch',
'Update', 'q' or 'p' followed by 3 or more digits. For example
this name can be PATCH368 or Q382381.exe.
The worm tries to send infected messages through SMTP servers
listed in its WMSynDx.bin file.
The worm has some additional functionalities. It tries to access
the 'ww2.fce.vutbr.cz' website to increment some counter. This
can be counter for infected computers. Also the worm runs the
dropped MSBugAdv.exe file with 'suck' command line option.
If the MSBugAdv file run without 'suck' command line, it tries to
open Microsoft's website support section in default webbrowser.
Otherwise the file remains active in Windows memory as a service
To disinfect a system from Gibe worm it's enough to remove all
infected files from a hard disk.
Detection for Gibe.b was added in the folowing updates:
[Analysis: Alexey Podrezov; F-Secure Corp; February 25th, 2003]