The file that spreads via emails is a dropper. It is a 155-kilobyte file written in Visual Basic. It is a dropper that contains a few compressed files in its body.
When run, the dropper verifies if it is already installed. It checks the following Registry key:
\Internet Settings\Messenger Setup]
If it finds the following subkey and its value:
"Coded" = "... by Begbie"
then it shows the following messagebox and stops its installation.
Microsoft Internet Update Pack
This update does not need to be installed on this system.
If the dropper finds out that a computer is not infected yet, it shows the following licence agreement:
ALL MICROSOFT PRODUCTS AND RELATED DOCUMENTS ARE
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND!
Microsoft and/or its respective suppliers hereby disclaim all
warranties and conditions with regard to this information,
including all warranties and conditions of merchantability,
whether express, implied or statutory, fitness for a particular
purpose, title and non-infringement. Microsoft does not warrant
that the functions for the software or code will meet your
requirements, or that the operation of the software or code will
be uninterrupted or error-free, or that defects in the software
or code can be corrected.
Furthermore, Microsoft does not
warrant or make any representations regarding the use or the
results of the use of the software, code or related
documentation in terms of their correctness, accuracy,
reliability, or otherwise. No oral or written information or
advice given by Microsoft or its authorized representatives
shall create a warranty or in any way increase the scope of this
Should the software or code prove defective after
Microsoft has delivered the same, you, and you alone, shall
assume the entire cost associated with all necessary servicing,
repair or correction. In no event shall Microsoft and/or its
respective suppliers be liable for any special, indirect or
consequential damages or any damages whatsoever resulting from
loss of use, data or profits, whether in an action of contract,
negligence or other tortious action, arising out of or in
connection with the use or performance of software, documents,
provision of or failure to provide services, or information
available from the services.
Copyright c 2003 Microsoft Corporation, One Microsoft Way,
Redmond, Washington U.S.A. All rights reserved.
Then no matter what button a user clicked, the dropper copies itself to temporary folder with one of the following names and EXE extension:
Free XXX Pictures
My naked sister
Cooking with Cannabis
Magic Mushrooms Growing
The dropper locates Kazaa file sharing client and copies itself to its shared folders with the above listed names. The dropper tries to enable file sharing (if it was disabled) by modifying the special key in System Registry.
The dropper tries to infect computers via local network (LAN). It accesses network drives and tries to locate the following folders there:
If such folder is located, the dropper drops the file named WebLoader.exe to the following subfolder:
When a remote computer is restarted next time, it will become infected. Additionally the dropper tries to locate startup folders for users of NT-based operating systems. It looks for the following directories:
\Documents and Settings\All Users\Start menu\Programs\Startup
\Winnt\Profiles\All Users\Start menu\Programs\Startup
If such folders are found, the dropper copies itself there as WebLoader.exe. As a result, remote computers will be infected when they are restarted.
The dropper copies itself as GIBE.DLL to Windows folder on a local computer. It also copies itself to Windows folder with a randomly-generated name, for example P270904.EXE. The dropper creates MSWinsck.OCX file in Windows system folder. This file is a standard Visual Basic OCX component.
The worm dropper tries to spread via IRC. It locates and overwrites the SCRIPT.INI file of mIRC client with its own script that will send the worm's dropper located in a temporary folder to all users who join the same channel where an infected person is present.
The dropper creates its 3 additional components in Windows folder as DX3DRndr.exe, MSBugAdv.exe and WMSysDx.bin files. It creates a startup key for DX3DRndr.exe file in System Registry:
"DxLoad" = "%windir%\DX3DRndr.exe"
This file is the mass-mailing component of the worm. It sends the worm's dropper to all found email addresses.
The worm locates email addresses by searching inside MailViews.db file and Windows Address Book file. Also the worm tries to look for emails in newsgroups. It reads newsgroup messages and gets sender's email addresses from them. The worm checks email messages for the following substrings:
If the above mentioned substring is found, the worm does not use that email address. The worm stores all found email addresses in MSErr.bak file that is located in Windows folder.
The worm randomly composes the sender's name, address, subject, part of the message body and headers from different parts that are hardcoded in the worm's body. The subject is composed from the following parts:
Latest New Last Newest
Internet Microsoft Network
Pack Update Patch
For example it can be: 'Internet Security Pack'.
The sender's name is composed from the following parts:
MS Microsoft Corporation
Center Department Section Division
Customer Public Technical
Support Assistance Services
For example it can be 'Microsoft Public Support'. In some cases the worm can compose the subject from the following parts:
FW: FWD: RE:
Check Check out
Prove Taste Try Look at
Take a look at
this these the that
update patch pack
For example it can be: 'FW: Check this security update which came from Microsoft'.
The sender's email is composed from a few random letters and numbers followed by domain name composed from the following parts:
newsletters support technet updates advisor
msdn microsoft ms msn
For example it can be: 'email@example.com'.
The message body has plain text and HTML variants. The worm checks current month and year and inserts it into the message body. The plain text message looks like that:
this is the latest version of security update, the
"February 2003, Cumulative Patch" update which eliminates all
known security vulnerabilities affecting Internet Explorer,
Outlook and Outlook Express as well as five newly discovered
vulnerabilities. Install now to protect your computer from these
vulnerabilities, the most serious of which could allow an attacker to
run executable on your system. This update includes the functionality
of all previously released patches.
This update applies to:
Microsoft Internet Explorer, version 4.01 and later
Microsoft Outlook, version 8.00 and later
Microsoft Outlook Express, version 4.01 and later
Customers should install the patch at the earliest opportunity.
How to install:
Run attached file. Click Yes on displayed dialog box.
How to use:
You don't need to do anything after installing this item.
Microsoft Technical Support is available at
For security-related information about Microsoft products,
please visit the Microsoft Security Advisor web site at
Contact us at
Please do not reply to this message. It was sent from an unmonitored
email address and we are unable to respond to any replies.
Thank you for using Microsoft products.
With friendly greetings,
Microsoft Public Support
=c2003 Microsoft Corporation. All rights reserved. The names of =
the actual companies and products mentioned herein =
may be the trademarks of their respective owners.
The worm's HTML message looks like that:
The worm can also generate fake bounced email messages. The worm can insert IFrame exploit code into its infected message to make it start on recepient's computer automatically, however only older unpatched versions of Internet Explorer and Outlook will be affected.
In some cases the worm can add the following string:
--- Outgoing mail is certified Virus Free. Checked by anti-virus system (http://www..com Release Date:
In the <name> field the worm can put one of the following:
Outgoing mail is certified Virus Free.
anti-virus system (http://www..com
The worm is attached to the infected message as an EXE file with a semi-randomly generated name. The name can start with 'Patch', 'Update', 'q' or 'p' followed by 3 or more digits. For example this name can be PATCH368 or Q382381.exe.
The worm tries to send infected messages through SMTP servers listed in its WMSynDx.bin file.
The worm has some additional functionalities. It tries to access the 'ww2.fce.vutbr.cz' website to increment some counter. This can be counter for infected computers. Also the worm runs the dropped MSBugAdv.exe file with 'suck' command line option.
If the MSBugAdv file run without 'suck' command line, it tries to open Microsoft's website support section in default webbrowser. Otherwise the file remains active in Windows memory as a service process.
To disinfect a system from Gibe worm it's enough to remove all infected files from a hard disk.