New Sophos IDE for Gibe-F

Dustin Baer dustin.baer at IHS.COM
Thu Sep 18 13:44:03 IST 2003


Our server has stopped a few exe files.  I sent a couple of them to
Sophos for examination.  They will be releasing it later today as
Gibe-F.

Here it is, if you want it earlier.

Dustin

-------- Original Message --------
Subject: Re: ** exe file for examination
Date: Thu, 18 Sep 2003 13:34:21 +0100
From: martin.elliott at sophos.com
Reply-To: support at sophos.com
To: dustin.baer at ihs.com


Hi Dustin

the file that you sent to us for analysis were infected with W32/Gibe-F.
I
have attached a description and an IDE file that will allow Sophos to
detect this. I expect this to be posted on our web site a little later
today. Please do not hesitate to contact me if I can be of any further
assistance.

Regards

Martin Elliott
Sophos Technical Support

(See attached file: GibeF.ide)

W32/Gibe-F is a worm which spreads by emailing itself via its own SMTP
engine, by copying itself to the KaZaA peer-to-peer shared folder and
via
IRC channels.

If the worm is run with a filename which starts with a P,Q,U or I
(regardless
of case) the W32/Gibe-F displays the following message:

"Microsoft Internet Update Pack
This update does not need to be installed on this system."

The worm then copies itself to the Windows folder as a randomly-named
lowercase
EXE (e.g. jlfsm.exe) and adds an entry to the registry at

HKLM\Software\Microsoft\Windows\CurrentVersion\Run to run itself on
system
restart.

The worm also changes the entries in the registry at:

HKCR\exefile\shell\open\command
HKCR\regfile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\pifile\shell\open\command
HKCR\scrfile\shell\open\command
HKCR\scrfile\shell\config\command

so that it is run before EXE, COM, PIF, BAT, SCR files and displays a
false
error message when rendering REG files.

W32/Gibe-F copies itself to the KaZaA shared folder with various
filenames
(e.g
"WINZIP UPLOAD.EXE").

W32/Gibe-F attempts to terminate various processes related to anti-virus
or
security software (e.g. sweep, zonealarm and blackice).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: GibeF.ide
Type: application/octet-stream
Size: 441 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030918/3b8926c2/GibeF.obj


More information about the MailScanner mailing list