New Sophos IDE for Gibe-F

Dustin Baer dustin.baer at IHS.COM
Thu Sep 18 13:56:59 IST 2003 

I see!  "...a little later today..." must have meant "in 15 minutes".
:-)



Mike Kercher wrote:
>
> It's already out :)
>
> Name: W32/Gibe-F
> Aliases: W32/Swen.A at mm
> Type: Win32 worm
> Date: 18 September 2003
>
> A virus identity file (IDE) which provides protection is available now from
> our website and will be incorporated into the November 2003 (3.75) release
> of Sophos Anti-Virus.
>
> Sophos has received several reports of this worm from the wild.
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
> Of Dustin Baer
> Sent: Thursday, September 18, 2003 7:44 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: New Sophos IDE for Gibe-F
>
> Our server has stopped a few exe files.  I sent a couple of them to Sophos
> for examination.  They will be releasing it later today as Gibe-F.
>
> Here it is, if you want it earlier.
>
> Dustin
>
> -------- Original Message --------
> Subject: Re: ** exe file for examination
> Date: Thu, 18 Sep 2003 13:34:21 +0100
> From: martin.elliott at sophos.com
> Reply-To: support at sophos.com
> To: dustin.baer at ihs.com
>
> Hi Dustin
>
> the file that you sent to us for analysis were infected with W32/Gibe-F. I
> have attached a description and an IDE file that will allow Sophos to detect
> this. I expect this to be posted on our web site a little later today.
> Please do not hesitate to contact me if I can be of any further assistance.
>
> Regards
>
> Martin Elliott
> Sophos Technical Support
>
> (See attached file: GibeF.ide)
>
> W32/Gibe-F is a worm which spreads by emailing itself via its own SMTP
> engine, by copying itself to the KaZaA peer-to-peer shared folder and via
> IRC channels.
>
> If the worm is run with a filename which starts with a P,Q,U or I
> (regardless of case) the W32/Gibe-F displays the following message:
>
> "Microsoft Internet Update Pack
> This update does not need to be installed on this system."
>
> The worm then copies itself to the Windows folder as a randomly-named
> lowercase EXE (e.g. jlfsm.exe) and adds an entry to the registry at
>
> HKLM\Software\Microsoft\Windows\CurrentVersion\Run to run itself on system
> restart.
>
> The worm also changes the entries in the registry at:
>
> HKCR\exefile\shell\open\command
> HKCR\regfile\shell\open\command
> HKCR\comfile\shell\open\command
> HKCR\batfile\shell\open\command
> HKCR\pifile\shell\open\command
> HKCR\scrfile\shell\open\command HKCR\scrfile\shell\config\command
>
> so that it is run before EXE, COM, PIF, BAT, SCR files and displays a false
> error message when rendering REG files.
>
> W32/Gibe-F copies itself to the KaZaA shared folder with various filenames
> (e.g "WINZIP UPLOAD.EXE").
>
> W32/Gibe-F attempts to terminate various processes related to anti-virus or
> security software (e.g. sweep, zonealarm and blackice).

--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

More information about the MailScanner mailing list