The file that spreads via e-mails is a dropper. It is a
167-kilobyte file written in Visual Basic. It is a dropper that
contains a few compressed files in its body.
Description
Technically the .D variant is not much different from .B variant
of the worm. You can find the description of .B variant here:
http://www.europe.f-secure.com/v-descs/gibe_b.shtml
There are a few differences comparing to earlier versions:
1. The dropper now uses randomly generated key name to hold its
settings:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Internet Settings\<random_name>]
2. The dropper has an extended list of names that it uses to drop
itself to Kazaa shared folders:
IEPatch
KaZaA upload
Porn
Sex
XboX Emulator
PS2 Emulator
XP update
XXX Video
Sick Joke
Free XXX Pictures
My naked sister
Hallucinogenic Screensaver
Cooking with Cannabis
Magic Mushrooms Growing
Worm_Gibe.C Cleaner
ICQ upgrade
KaZaA spyware patch
BillGates
WinZip
Download Accelerator
Hackers Guide
Psycho
3. The dropper copies itself as xx.DLL (where 'xx' are random
characters) to Windows folder on a local computer. It also copies
itself to Windows folder with a randomly generated name, for
example UPDATE263.EXE.
4. The dropper creates the main worm component with a random name
(for example FEBKI.EXE) in Windows folder and changes EXE, BAT,
COM, PIF, REG, SCR files startup key to load that file every time
a user runs files with those extensions. Also the dropper creates
a startup key for this file in the Registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"random_name" = "%windir%\<random_name>
![](/images/pixel.gif"){kind=tracking}
