Summary

Gibe.b worm first appeared on 24th of February 2003. Is started to spread actively on 25th of February. The worm spreads itself via e-mail, IRC, local network and P2P (peer-to-peer) networks. The worm pretends to be an update from Microsoft when it spreads via e-mail.

Additional Details

The file that spreads via e-mails is a dropper. It is a 155-kilobyte file written in Visual Basic. It is a dropper that contains a few compressed files in its body.

When run, the dropper verifies if it is already installed. It checks the following Registry key:

 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  \Internet Settings\Messenger Setup]

If it finds the following subkey and its value:

 "Coded" = "... by Begbie"

then it shows the following messagebox and stops its installation.

 Microsoft Internet Update Pack
 This update does not need to be installed on this system.

If the dropper finds out that a computer is not infected yet, it shows the following licence agreement:

 ALL MICROSOFT PRODUCTS AND RELATED DOCUMENTS ARE
 PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND!

 Microsoft and/or its respective suppliers hereby disclaim all
 warranties and conditions with regard to this information,
 including all warranties and conditions of merchantability,
 whether express, implied or statutory, fitness for a particular
 purpose, title and non-infringement. Microsoft does not warrant
 that the functions for the software or code will meet your
 requirements, or that the operation of the software or code will
 be uninterrupted or error-free, or that defects in the software
 or code can be corrected.  Furthermore, Microsoft does not
 warrant or make any representations regarding the use or the
 results of the use of the software, code or related
 documentation in terms of their correctness, accuracy,
 reliability, or otherwise. No oral or written information or
 advice given by Microsoft or its authorized representatives
 shall create a warranty or in any way increase the scope of this
 warranty.  Should the software or code prove defective after
 Microsoft has delivered the same, you, and you alone, shall
 assume the entire cost associated with all necessary servicing,
 repair or correction. In no event shall Microsoft and/or its
 respective suppliers be liable for any special, indirect or
 consequential damages or any damages whatsoever resulting from
 loss of use, data or profits, whether in an action of contract,
 negligence or other tortious action, arising out of or in
 connection with the use or performance of software, documents,
 provision of or failure to provide services, or information
 available from the services.

 COPYRIGHT NOTICE.
 Copyright c 2003 Microsoft Corporation, One Microsoft Way,
 Redmond, Washington U.S.A. All rights reserved.

Then no matter what button a user clicked, the dropper copies itself to temporary folder with one of the following names and EXE extension:

 IEPatch
 KaZaA upload
 Porn
 Sex
 XboX Emulator
 PS2 Emulator
 XP update
 XXX Video
 Sick Joke
 Free XXX Pictures
 My naked sister
 Hallucinogenic Screensaver
 Cooking with Cannabis
 Magic Mushrooms Growing
 I-Worm_Gibe Cleaner

The dropper locates Kazaa file sharing client and copies itself to its shared folders with the above listed names. The dropper tries to enable file sharing (if it was disabled) by modifying the special key in System Registry.

The dropper tries to infect computers via local network (LAN). It accesses network drives and tries to locate the following folders there:

 Windows
 WinMe
 Win95
 Win98

If such folder is located, the dropper drops the file named WebLoader.exe to the following subfolder:

 \Start menu\Programs\Startup

When a remote computer is restarted next time, it will become infected. Additionally the dropper tries to locate startup folders for users of NT-based operating systems. It looks for the following directories:

 \Documents and Settings\All Users\Start menu\Programs\Startup
 \Winnt\Profiles\All Users\Start menu\Programs\Startup

If such folders are found, the dropper copies itself there as WebLoader.exe. As a result, remote computers will be infected when they are restarted.

The dropper copies itself as GIBE.DLL to Windows folder on a local computer. It also copies itself to Windows folder with a randomly-generated name, for example P270904.EXE. The dropper creates MSWinsck.OCX file in Windows system folder. This file is a standard Visual Basic OCX component.

The worm dropper tries to spread via IRC. It locates and overwrites the SCRIPT.INI file of mIRC client with its own script that will send the worm's dropper located in a temporary folder to all users who join the same channel where an infected person is present.

The dropper creates its 3 additional components in Windows folder as DX3DRndr.exe, MSBugAdv.exe and WMSysDx.bin files. It creates a startup key for DX3DRndr.exe file in System Registry:

 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "DxLoad" = "%windir%\DX3DRndr.exe"

This file is the mass-mailing component of the worm. It sends the worm's dropper to all found e-mail addresses.

The worm locates e-mail addresses by searching inside MailViews.db file and Windows Address Book file. Also the worm tries to look for e-mails in newsgroups. It reads newsgroup messages and gets sender's e-mail addresses from them. The worm checks e-mail messages for the following substrings:

 noemail
 noaddress
 no.email
 no.address
 none
 spam

If the above mentioned substring is found, the worm does not use that e-mail address. The worm stores all found e-mail addresses in MSErr.bak file that is located in Windows folder.

The worm randomly composes the sender's name, address, subject, part of the message body and headers from different parts that are hardcoded in the worm's body. The subject is composed from the following parts:

 Latest New Last Newest
 Internet Microsoft Network
 Security
 Pack Update Patch

For example it can be: 'Internet Security Pack'.

The sender's name is composed from the following parts:

 MS Microsoft Corporation
 Network Internet
 Security
 Center Department Section Division
 Customer Public Technical
 Support Assistance Services

For example it can be 'Microsoft Public Support'. In some cases the worm can compose the subject from the following parts:

 FW: FWD: RE:
 Check Check out  Prove Taste Try Look at  Take a look at  Look at  See Watch
 this these the that
 correction security
 update patch pack
 which
 came comes
 from
 the
 Microsoft  M$ Corporation

For example it can be: 'FW: Check this security update which came from Microsoft'.

The sender's e-mail is composed from a few random letters and numbers followed by domain name composed from the following parts:

 newsletters support technet updates advisor
 msdn microsoft ms msn
 com net

For example it can be: 'codwmbitj_186377@newsletters.microsoft.com'.

The message body has plain text and HTML variants. The worm checks current month and year and inserts it into the message body. The plain text message looks like that:

 Microsoft Customer

 this is the latest version of security update, the
 "February 2003, Cumulative Patch" update which eliminates all
 known security vulnerabilities affecting Internet Explorer,
 Outlook and Outlook Express as well as five newly discovered
 vulnerabilities. Install now to protect your computer from these
 vulnerabilities, the most serious of which could allow an attacker to
 run executable on your system. This update includes the functionality
 of all previously released patches.

 System requirements:
 Win 9x/Me/2000/NT/XP

 This update applies to:
 Microsoft Internet Explorer, version 4.01 and later
 Microsoft Outlook, version 8.00 and later
 Microsoft Outlook Express, version 4.01 and later

 Recommendation:
 Customers should install the patch at the earliest opportunity.

 How to install:
 Run attached file. Click Yes on displayed dialog box.

 How to use:
 You don't need to do anything after installing this item.

 Microsoft Technical Support is available at
 http://support.microsoft.com/

 For security-related information about Microsoft products,
 please visit the Microsoft Security Advisor web site at
 http://www.microsoft.com/security

 Contact us at
 http://www.microsoft.com/isapi/goregwiz.asp?target=3D/contactus/=
 contactus.asp

 Please do not reply to this message. It was sent from an unmonitored
 e-mail address and we are unable to respond to any replies.

 Thank you for using Microsoft products.

 With friendly greetings,
 Microsoft Public Support
 ________________________________________
 =c2003 Microsoft Corporation. All rights reserved. The names of =
 the actual companies and products mentioned herein =
 may be the trademarks of their respective owners.

The worm's HTML message looks like that:



The worm can also generate fake bounced e-mail messages. The worm can insert IFrame exploit code into its infected message to make it start on recepient's computer automatically, however only older unpatched versions of Internet Explorer and Outlook will be affected.

In some cases the worm can add the following string:

 ---
 Outgoing mail is certified Virus Free.
 Checked by <name> anti-virus system (http://www.<name>.com
 Release Date: <date>

In the <name> field the worm can put one of the following:

 TrendMicro
 F-Secure
 Symantec
 Kaspersky
 NOD32
 McAfee
 Sophos
 DrWeb32

The worm is attached to the infected message as an EXE file with a semi-randomly generated name. The name can start with 'Patch', 'Update', 'q' or 'p' followed by 3 or more digits. For example this name can be PATCH368 or Q382381.exe.

The worm tries to send infected messages through SMTP servers listed in its WMSynDx.bin file.

The worm has some additional functionalities. It tries to access the 'ww2.fce.vutbr.cz' website to increment some counter. This can be counter for infected computers. Also the worm runs the dropped MSBugAdv.exe file with 'suck' command line option.

If the MSBugAdv file run without 'suck' command line, it tries to open Microsoft's website support section in default webbrowser. Otherwise the file remains active in Windows memory as a service process.

To disinfect a system from Gibe worm it's enough to remove all infected files from a hard disk.

Detection

Detection for Gibe.b was added in the folowing updates:

[FSAV_Database_Version]

Version=2003-02-24_04

[Analysis: Alexey Podrezov; F-Secure Corp; February 25th, 2003]