Threat description



Gibe.b worm first appeared on 24th of February 2003. Is started to spread actively on 25th of February. The worm spreads itself via e-mail, IRC, local network and P2P (peer-to-peer) networks. The worm pretends to be an update from Microsoft when it spreads via e-mail.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The file that spreads via e-mails is a dropper. It is a 155-kilobyte file written in Visual Basic. It is a dropper that contains a few compressed files in its body.

When run, the dropper verifies if it is already installed. It checks the following Registry key:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion   \Internet Settings\Messenger Setup]  

If it finds the following subkey and its value:

"Coded" = "... by Begbie"  

then it shows the following messagebox and stops its installation.

Microsoft Internet Update Pack  This update does not need to be installed on this system.  

If the dropper finds out that a computer is not infected yet, it shows the following licence agreement:

ALL MICROSOFT PRODUCTS AND RELATED DOCUMENTS ARE  PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND!  Microsoft and/or its respective suppliers hereby disclaim all  warranties and conditions with regard to this information,  including all warranties and conditions of merchantability,  whether express, implied or statutory, fitness for a particular  purpose, title and non-infringement. Microsoft does not warrant  that the functions for the software or code will meet your  requirements, or that the operation of the software or code will  be uninterrupted or error-free, or that defects in the software  or code can be corrected.  Furthermore, Microsoft does not  warrant or make any representations regarding the use or the  results of the use of the software, code or related  documentation in terms of their correctness, accuracy,  reliability, or otherwise. No oral or written information or  advice given by Microsoft or its authorized representatives  shall create a warranty or in any way increase the scope of this  warranty.  Should the software or code prove defective after  Microsoft has delivered the same, you, and you alone, shall  assume the entire cost associated with all necessary servicing,  repair or correction. In no event shall Microsoft and/or its  respective suppliers be liable for any special, indirect or  consequential damages or any damages whatsoever resulting from  loss of use, data or profits, whether in an action of contract,  negligence or other tortious action, arising out of or in  connection with the use or performance of software, documents,  provision of or failure to provide services, or information  available from the services.  COPYRIGHT NOTICE.  Copyright c 2003 Microsoft Corporation, One Microsoft Way,  Redmond, Washington U.S.A. All rights reserved.  

Then no matter what button a user clicked, the dropper copies itself to temporary folder with one of the following names and EXE extension:

IEPatch  KaZaA upload  Porn  Sex  XboX Emulator  PS2 Emulator  XP update  XXX Video  Sick Joke  Free XXX Pictures  My naked sister  Hallucinogenic Screensaver  Cooking with Cannabis  Magic Mushrooms Growing  I-Worm_Gibe Cleaner  

The dropper locates Kazaa file sharing client and copies itself to its shared folders with the above listed names. The dropper tries to enable file sharing (if it was disabled) by modifying the special key in System Registry.

The dropper tries to infect computers via local network (LAN). It accesses network drives and tries to locate the following folders there:

Windows  WinMe  Win95  Win98  

If such folder is located, the dropper drops the file named WebLoader.exe to the following subfolder:

\Start menu\Programs\Startup  

When a remote computer is restarted next time, it will become infected. Additionally the dropper tries to locate startup folders for users of NT-based operating systems. It looks for the following directories:

\Documents and Settings\All Users\Start menu\Programs\Startup  \Winnt\Profiles\All Users\Start menu\Programs\Startup  

If such folders are found, the dropper copies itself there as WebLoader.exe. As a result, remote computers will be infected when they are restarted.

The dropper copies itself as GIBE.DLL to Windows folder on a local computer. It also copies itself to Windows folder with a randomly-generated name, for example P270904.EXE. The dropper creates MSWinsck.OCX file in Windows system folder. This file is a standard Visual Basic OCX component.

The worm dropper tries to spread via IRC. It locates and overwrites the SCRIPT.INI file of mIRC client with its own script that will send the worm's dropper located in a temporary folder to all users who join the same channel where an infected person is present.

The dropper creates its 3 additional components in Windows folder as DX3DRndr.exe, MSBugAdv.exe and WMSysDx.bin files. It creates a startup key for DX3DRndr.exe file in System Registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]  "DxLoad" = "%windir%\DX3DRndr.exe"  

This file is the mass-mailing component of the worm. It sends the worm's dropper to all found e-mail addresses.

The worm locates e-mail addresses by searching inside MailViews.db file and Windows Address Book file. Also the worm tries to look for e-mails in newsgroups. It reads newsgroup messages and gets sender's e-mail addresses from them. The worm checks e-mail messages for the following substrings:

noemail  noaddress  no.address  none  spam  

If the above mentioned substring is found, the worm does not use that e-mail address. The worm stores all found e-mail addresses in MSErr.bak file that is located in Windows folder.

The worm randomly composes the sender's name, address, subject, part of the message body and headers from different parts that are hardcoded in the worm's body. The subject is composed from the following parts:

Latest New Last Newest  Internet Microsoft Network  Security  Pack Update Patch  

For example it can be: 'Internet Security Pack'.

The sender's name is composed from the following parts:

MS Microsoft Corporation  Network Internet  Security  Center Department Section Division  Customer Public Technical  Support Assistance Services  

For example it can be 'Microsoft Public Support'. In some cases the worm can compose the subject from the following parts:

FW: FWD: RE:  Check Check out  Prove Taste Try Look at  Take a look at  Look at  See Watch  this these the that  correction security  update patch pack  which  came comes  from  the  Microsoft  M$ Corporation  

For example it can be: 'FW: Check this security update which came from Microsoft'.

The sender's e-mail is composed from a few random letters and numbers followed by domain name composed from the following parts:

newsletters support technet updates advisor  msdn microsoft ms msn  com net  

For example it can be: ''.

The message body has plain text and HTML variants. The worm checks current month and year and inserts it into the message body. The plain text message looks like that:

Microsoft Customer  this is the latest version of security update, the  "February 2003, Cumulative Patch" update which eliminates all  known security vulnerabilities affecting Internet Explorer,  Outlook and Outlook Express as well as five newly discovered  vulnerabilities. Install now to protect your computer from these  vulnerabilities, the most serious of which could allow an attacker to  run executable on your system. This update includes the functionality  of all previously released patches.  System requirements:  Win 9x/Me/2000/NT/XP  This update applies to:  Microsoft Internet Explorer, version 4.01 and later  Microsoft Outlook, version 8.00 and later  Microsoft Outlook Express, version 4.01 and later  Recommendation:  Customers should install the patch at the earliest opportunity.  How to install:  Run attached file. Click Yes on displayed dialog box.  How to use:  You don't need to do anything after installing this item.  Microsoft Technical Support is available at  For security-related information about Microsoft products,  please visit the Microsoft Security Advisor web site at  Contact us at  contactus.asp  Please do not reply to this message. It was sent from an unmonitored  e-mail address and we are unable to respond to any replies.  Thank you for using Microsoft products.  With friendly greetings,  Microsoft Public Support  ________________________________________  =c2003 Microsoft Corporation. All rights reserved. The names of =  the actual companies and products mentioned herein =  may be the trademarks of their respective owners.  

The worm's HTML message looks like that:

The worm can also generate fake bounced e-mail messages. The worm can insert IFrame exploit code into its infected message to make it start on recepient's computer automatically, however only older unpatched versions of Internet Explorer and Outlook will be affected.

In some cases the worm can add the following string:

---  Outgoing mail is certified Virus Free.  Checked by  anti-virus system (  Release Date:   

In the <name> field the worm can put one of the following:

TrendMicro  F-Secure  Symantec  Kaspersky  NOD32  McAfee  Sophos  DrWeb32  

The worm is attached to the infected message as an EXE file with a semi-randomly generated name. The name can start with 'Patch', 'Update', 'q' or 'p' followed by 3 or more digits. For example this name can be PATCH368 or Q382381.exe.

The worm tries to send infected messages through SMTP servers listed in its WMSynDx.bin file.

The worm has some additional functionalities. It tries to access the '' website to increment some counter. This can be counter for infected computers. Also the worm runs the dropped MSBugAdv.exe file with 'suck' command line option.

If the MSBugAdv file run without 'suck' command line, it tries to open Microsoft's website support section in default webbrowser. Otherwise the file remains active in Windows memory as a service process.

To disinfect a system from Gibe worm it's enough to remove all infected files from a hard disk.


Detection for Gibe.b was added in the folowing updates:

Detection Type: PC

Database: 2003-02-24_04

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info