Print

Print


>Subject: Virus alert (W32.Gibe@mm)]
>
>Just for information
>
>A new e-mail worm has been discovered and is spreading very
>quickly.
>
>The worm arrives as an attachment to email that appears to be from
>Microsoft Corporation Security Center (it is not really from Microsoft
>at all).
>
>VIRUS ALERT! - W32.Gibe@mm >
>There is a new email worm threat which appears to come from Microsoft!
>W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP
>engine to spread. This worm arrives in an email message--which is
>disguised as a Microsoft Internet Security Update--
>as the attachment Q216309.exe.
>
>The fake message, which is not from Microsoft, has the following
>characteristics:
>
>From: Microsoft Corporation Security Center
>Subject: Internet Security Update
>Message:
>Microsoft Customer,
>this is the latest version of security update, the update which
>eliminates
>all known security vulnerabilities affecting Internet Explorer and
>MS Outlook/Express as well as six new vulnerabilities
>.
>.
>.
>How to install
>Run attached file q216309.exe
>How to use
>You don't need to do anything after installing this item.
>.
>.
>.
>Attachment: Q216309.exe
>
>The attached file, Q216309.exe, is written in Visual Basic; it contains

>other worm components inside itself. When the attached file is
>executed, it does the following:
>
>It creates the following files:
>
>\Windows\Q216309.exe (122,880 bytes).
>\Windows\Vtnmsccd.dll (122,880 bytes).
>\Windows\BcTool.exe (32,768 bytes).
>\Windows\GfxAcc.exe (20,480 bytes).
>\Windows\02_N803.dat (size varies).
>\Windows\WinNetw.exe (20,480 bytes).
>
>Next, the worm then adds the following values:
>
>LoadDBackUp C:\Windows\BcTool.exe
>3Dfx Acc C:\Windows\GFXACC.exe
>
>to the registry key
>
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>The worm also creates the key
>
>HKEY_LOCAL_MACHINE\Software\AVTech\Settings
>
>and adds the following values to that key:
>
>Installed ... by Begbie
>Default Address
>Default Server
>
>Finally, BcTool.exe attempts to send the \Windows\Q216309.exe file to
>email addresses in the Microsoft Outlook address book, and to addresses

>that it found in .htm, .html, .asp, and .php files and wrote to the
>02_N803.dat file.
>
>WHAT TO DO IF YOU ARE INFECTED???
>
>For Norton Antivirus users:
>http:[log in to unmask]
>l
>
>For McAfee Antivirus users:
>http://vil.mcafee.com/dispVirus.asp?virus_k=99377
>
>==^================================================================
>This email was sent to: [log in to unmask]
>
>EASY UNSUBSCRIBE click here: http://topica.com/u/?a2iSP4.a2ngGr
>Or send an email to: [log in to unmask]
>
>T O P I C A -- Register now to manage your mail!
>http://www.topica.com/partner/tag02/register
>==^================================================================