Gibe.b worm first appeared on 24th of February 2003. Is started to spread actively on 25th of February. The worm spreads itself via e-mail, IRC, local network and P2P (peer-to-peer) networks. The worm pretends to be an update from Microsoft when it spreads via e-mail.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
The file that spreads via e-mails is a dropper. It is a 155-kilobyte file written in Visual Basic. It is a dropper that contains a few compressed files in its body.
When run, the dropper verifies if it is already installed. It checks the following Registry key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Internet Settings\Messenger Setup]
If it finds the following subkey and its value:
"Coded" = "... by Begbie"
then it shows the following messagebox and stops its installation.
Microsoft Internet Update Pack This update does not need to be installed on this system.
If the dropper finds out that a computer is not infected yet, it shows the following licence agreement:
ALL MICROSOFT PRODUCTS AND RELATED DOCUMENTS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND! Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all warranties and conditions of merchantability, whether express, implied or statutory, fitness for a particular purpose, title and non-infringement. Microsoft does not warrant that the functions for the software or code will meet your requirements, or that the operation of the software or code will be uninterrupted or error-free, or that defects in the software or code can be corrected. Furthermore, Microsoft does not warrant or make any representations regarding the use or the results of the use of the software, code or related documentation in terms of their correctness, accuracy, reliability, or otherwise. No oral or written information or advice given by Microsoft or its authorized representatives shall create a warranty or in any way increase the scope of this warranty. Should the software or code prove defective after Microsoft has delivered the same, you, and you alone, shall assume the entire cost associated with all necessary servicing, repair or correction. In no event shall Microsoft and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of software, documents, provision of or failure to provide services, or information available from the services. COPYRIGHT NOTICE. Copyright c 2003 Microsoft Corporation, One Microsoft Way, Redmond, Washington U.S.A. All rights reserved.
Then no matter what button a user clicked, the dropper copies itself to temporary folder with one of the following names and EXE extension:
IEPatch KaZaA upload Porn Sex XboX Emulator PS2 Emulator XP update XXX Video Sick Joke Free XXX Pictures My naked sister Hallucinogenic Screensaver Cooking with Cannabis Magic Mushrooms Growing I-Worm_Gibe Cleaner
The dropper locates Kazaa file sharing client and copies itself to its shared folders with the above listed names. The dropper tries to enable file sharing (if it was disabled) by modifying the special key in System Registry.
The dropper tries to infect computers via local network (LAN). It accesses network drives and tries to locate the following folders there:
Windows WinMe Win95 Win98
If such folder is located, the dropper drops the file named WebLoader.exe to the following subfolder:
When a remote computer is restarted next time, it will become infected. Additionally the dropper tries to locate startup folders for users of NT-based operating systems. It looks for the following directories:
\Documents and Settings\All Users\Start menu\Programs\Startup \Winnt\Profiles\All Users\Start menu\Programs\Startup
If such folders are found, the dropper copies itself there as WebLoader.exe. As a result, remote computers will be infected when they are restarted.
The dropper copies itself as GIBE.DLL to Windows folder on a local computer. It also copies itself to Windows folder with a randomly-generated name, for example P270904.EXE. The dropper creates MSWinsck.OCX file in Windows system folder. This file is a standard Visual Basic OCX component.
The worm dropper tries to spread via IRC. It locates and overwrites the SCRIPT.INI file of mIRC client with its own script that will send the worm's dropper located in a temporary folder to all users who join the same channel where an infected person is present.
The dropper creates its 3 additional components in Windows folder as DX3DRndr.exe, MSBugAdv.exe and WMSysDx.bin files. It creates a startup key for DX3DRndr.exe file in System Registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "DxLoad" = "%windir%\DX3DRndr.exe"
This file is the mass-mailing component of the worm. It sends the worm's dropper to all found e-mail addresses.
The worm locates e-mail addresses by searching inside MailViews.db file and Windows Address Book file. Also the worm tries to look for e-mails in newsgroups. It reads newsgroup messages and gets sender's e-mail addresses from them. The worm checks e-mail messages for the following substrings:
noemail noaddress no.email no.address none spam
If the above mentioned substring is found, the worm does not use that e-mail address. The worm stores all found e-mail addresses in MSErr.bak file that is located in Windows folder.
The worm randomly composes the sender's name, address, subject, part of the message body and headers from different parts that are hardcoded in the worm's body. The subject is composed from the following parts:
Latest New Last Newest Internet Microsoft Network Security Pack Update Patch
For example it can be: 'Internet Security Pack'.
The sender's name is composed from the following parts:
MS Microsoft Corporation Network Internet Security Center Department Section Division Customer Public Technical Support Assistance Services
For example it can be 'Microsoft Public Support'. In some cases the worm can compose the subject from the following parts:
FW: FWD: RE: Check Check out Prove Taste Try Look at Take a look at Look at See Watch this these the that correction security update patch pack which came comes from the Microsoft M$ Corporation
For example it can be: 'FW: Check this security update which came from Microsoft'.
The sender's e-mail is composed from a few random letters and numbers followed by domain name composed from the following parts:
newsletters support technet updates advisor msdn microsoft ms msn com net
For example it can be: 'firstname.lastname@example.org'.
The message body has plain text and HTML variants. The worm checks current month and year and inserts it into the message body. The plain text message looks like that:
Microsoft Customer this is the latest version of security update, the "February 2003, Cumulative Patch" update which eliminates all known security vulnerabilities affecting Internet Explorer, Outlook and Outlook Express as well as five newly discovered vulnerabilities. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run executable on your system. This update includes the functionality of all previously released patches. System requirements: Win 9x/Me/2000/NT/XP This update applies to: Microsoft Internet Explorer, version 4.01 and later Microsoft Outlook, version 8.00 and later Microsoft Outlook Express, version 4.01 and later Recommendation: Customers should install the patch at the earliest opportunity. How to install: Run attached file. Click Yes on displayed dialog box. How to use: You don't need to do anything after installing this item. Microsoft Technical Support is available at http://support.microsoft.com/ For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security Contact us at http://www.microsoft.com/isapi/goregwiz.asp?target=3D/contactus/= contactus.asp Please do not reply to this message. It was sent from an unmonitored e-mail address and we are unable to respond to any replies. Thank you for using Microsoft products. With friendly greetings, Microsoft Public Support ________________________________________ =c2003 Microsoft Corporation. All rights reserved. The names of = the actual companies and products mentioned herein = may be the trademarks of their respective owners.
The worm's HTML message looks like that:
The worm can also generate fake bounced e-mail messages. The worm can insert IFrame exploit code into its infected message to make it start on recepient's computer automatically, however only older unpatched versions of Internet Explorer and Outlook will be affected.
In some cases the worm can add the following string:
--- Outgoing mail is certified Virus Free. Checked by <name> anti-virus system (http://www.<name>.com Release Date: <date>
In the <name> field the worm can put one of the following:
TrendMicro F-Secure Symantec Kaspersky NOD32 McAfee Sophos DrWeb32
The worm is attached to the infected message as an EXE file with a semi-randomly generated name. The name can start with 'Patch', 'Update', 'q' or 'p' followed by 3 or more digits. For example this name can be PATCH368 or Q382381.exe.
The worm tries to send infected messages through SMTP servers listed in its WMSynDx.bin file.
The worm has some additional functionalities. It tries to access the 'ww2.fce.vutbr.cz' website to increment some counter. This can be counter for infected computers. Also the worm runs the dropped MSBugAdv.exe file with 'suck' command line option.
If the MSBugAdv file run without 'suck' command line, it tries to open Microsoft's website support section in default webbrowser. Otherwise the file remains active in Windows memory as a service process.
To disinfect a system from Gibe worm it's enough to remove all infected files from a hard disk.
Detection for Gibe.b was added in the folowing updates:
Detection Type: PC
Technical Details: Alexey Podrezov; F-Secure Corp; February 25th, 2003