 |
 |
>Subject: Virus alert (W32.Gibe@mm)] > >Just for information > >A new e-mail worm has been discovered and is spreading very >quickly. > >The worm arrives as an attachment to email that appears to be from >Microsoft Corporation Security Center (it is not really from Microsoft >at all). > >VIRUS ALERT! - W32.Gibe@mm > >There is a new email worm threat which appears to come from Microsoft! >W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP >engine to spread. This worm arrives in an email message--which is >disguised as a Microsoft Internet Security Update-- >as the attachment Q216309.exe. > >The fake message, which is not from Microsoft, has the following >characteristics: > >From: Microsoft Corporation Security Center >Subject: Internet Security Update >Message: >Microsoft Customer, >this is the latest version of security update, the update which >eliminates >all known security vulnerabilities affecting Internet Explorer and >MS Outlook/Express as well as six new vulnerabilities >. >. >. >How to install >Run attached file q216309.exe >How to use >You don't need to do anything after installing this item. >. >. >. >Attachment: Q216309.exe > >The attached file, Q216309.exe, is written in Visual Basic; it contains >other worm components inside itself. When the attached file is >executed, it does the following: > >It creates the following files: > >\Windows\Q216309.exe (122,880 bytes). >\Windows\Vtnmsccd.dll (122,880 bytes). >\Windows\BcTool.exe (32,768 bytes). >\Windows\GfxAcc.exe (20,480 bytes). >\Windows\02_N803.dat (size varies). >\Windows\WinNetw.exe (20,480 bytes). > >Next, the worm then adds the following values: > >LoadDBackUp C:\Windows\BcTool.exe >3Dfx Acc C:\Windows\GFXACC.exe > >to the registry key > >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run >The worm also creates the key > >HKEY_LOCAL_MACHINE\Software\AVTech\Settings > >and adds the following values to that key: > >Installed ... by Begbie >Default Address >Default Server > >Finally, BcTool.exe attempts to send the \Windows\Q216309.exe file to >email addresses in the Microsoft Outlook address book, and to addresses >that it found in .htm, .html, .asp, and .php files and wrote to the >02_N803.dat file. > >WHAT TO DO IF YOU ARE INFECTED??? > >For Norton Antivirus users: >http:[log in to unmask] >l > >For McAfee Antivirus users: >http://vil.mcafee.com/dispVirus.asp?virus_k=99377 > >==^================================================================ >This email was sent to: [log in to unmask] > >EASY UNSUBSCRIBE click here: http://topica.com/u/?a2iSP4.a2ngGr >Or send an email to: [log in to unmask] > >T O P I C A -- Register now to manage your mail! >http://www.topica.com/partner/tag02/register >==^================================================================