New Sophos IDE for Gibe-F
Mike Kercher
mike at CAMAROSS.NET
Thu Sep 18 13:51:47 IST 2003
It's already out :)
Name: W32/Gibe-F
Aliases: W32/Swen.A at mm
Type: Win32 worm
Date: 18 September 2003
A virus identity file (IDE) which provides protection is available now from
our website and will be incorporated into the November 2003 (3.75) release
of Sophos Anti-Virus.
Sophos has received several reports of this worm from the wild.
-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Dustin Baer
Sent: Thursday, September 18, 2003 7:44 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: New Sophos IDE for Gibe-F
Our server has stopped a few exe files. I sent a couple of them to Sophos
for examination. They will be releasing it later today as Gibe-F.
Here it is, if you want it earlier.
Dustin
-------- Original Message --------
Subject: Re: ** exe file for examination
Date: Thu, 18 Sep 2003 13:34:21 +0100
From: martin.elliott at sophos.com
Reply-To: support at sophos.com
To: dustin.baer at ihs.com
Hi Dustin
the file that you sent to us for analysis were infected with W32/Gibe-F. I
have attached a description and an IDE file that will allow Sophos to detect
this. I expect this to be posted on our web site a little later today.
Please do not hesitate to contact me if I can be of any further assistance.
Regards
Martin Elliott
Sophos Technical Support
(See attached file: GibeF.ide)
W32/Gibe-F is a worm which spreads by emailing itself via its own SMTP
engine, by copying itself to the KaZaA peer-to-peer shared folder and via
IRC channels.
If the worm is run with a filename which starts with a P,Q,U or I
(regardless of case) the W32/Gibe-F displays the following message:
"Microsoft Internet Update Pack
This update does not need to be installed on this system."
The worm then copies itself to the Windows folder as a randomly-named
lowercase EXE (e.g. jlfsm.exe) and adds an entry to the registry at
HKLM\Software\Microsoft\Windows\CurrentVersion\Run to run itself on system
restart.
The worm also changes the entries in the registry at:
HKCR\exefile\shell\open\command
HKCR\regfile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\pifile\shell\open\command
HKCR\scrfile\shell\open\command HKCR\scrfile\shell\config\command
so that it is run before EXE, COM, PIF, BAT, SCR files and displays a false
error message when rendering REG files.
W32/Gibe-F copies itself to the KaZaA shared folder with various filenames
(e.g "WINZIP UPLOAD.EXE").
W32/Gibe-F attempts to terminate various processes related to anti-virus or
security software (e.g. sweep, zonealarm and blackice).
More information about the MailScanner
mailing list