New Sophos IDE for Gibe-F
Dustin Baer
dustin.baer at IHS.COM
Thu Sep 18 13:44:03 IST 2003
Our server has stopped a few exe files. I sent a couple of them to
Sophos for examination. They will be releasing it later today as
Gibe-F.
Here it is, if you want it earlier.
Dustin
-------- Original Message --------
Subject: Re: ** exe file for examination
Date: Thu, 18 Sep 2003 13:34:21 +0100
From: martin.elliott at sophos.com
Reply-To: support at sophos.com
To: dustin.baer at ihs.com
Hi Dustin
the file that you sent to us for analysis were infected with W32/Gibe-F.
I
have attached a description and an IDE file that will allow Sophos to
detect this. I expect this to be posted on our web site a little later
today. Please do not hesitate to contact me if I can be of any further
assistance.
Regards
Martin Elliott
Sophos Technical Support
(See attached file: GibeF.ide)
W32/Gibe-F is a worm which spreads by emailing itself via its own SMTP
engine, by copying itself to the KaZaA peer-to-peer shared folder and
via
IRC channels.
If the worm is run with a filename which starts with a P,Q,U or I
(regardless
of case) the W32/Gibe-F displays the following message:
"Microsoft Internet Update Pack
This update does not need to be installed on this system."
The worm then copies itself to the Windows folder as a randomly-named
lowercase
EXE (e.g. jlfsm.exe) and adds an entry to the registry at
HKLM\Software\Microsoft\Windows\CurrentVersion\Run to run itself on
system
restart.
The worm also changes the entries in the registry at:
HKCR\exefile\shell\open\command
HKCR\regfile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\pifile\shell\open\command
HKCR\scrfile\shell\open\command
HKCR\scrfile\shell\config\command
so that it is run before EXE, COM, PIF, BAT, SCR files and displays a
false
error message when rendering REG files.
W32/Gibe-F copies itself to the KaZaA shared folder with various
filenames
(e.g
"WINZIP UPLOAD.EXE").
W32/Gibe-F attempts to terminate various processes related to anti-virus
or
security software (e.g. sweep, zonealarm and blackice).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: GibeF.ide
Type: application/octet-stream
Size: 441 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030918/3b8926c2/GibeF.obj
More information about the MailScanner
mailing list