This section helps you to understand how it behaves
W32/Gibe-D is a worm which spreads by sending out email and by making itself
available for download via the KaZaA peer-to-peer file sharing system.
If you run an infected file, W32/Gibe-D pops up a dialog claiming to be a
Microsoft security update. (Microsoft never send out security updates via
email, and never publish security updates on peer-to-peer file sharing
networks.)
W32/Gibe-D drops a number of files onto your hard disk. These include a file
named DX3DRndr.exe (detected by this identity), which is a mailing program.
W32/Gibe-D also makes copies of itself, including multiple copies in your
KaZaA folder. These files may have a variey of names, including:
IEPatch.exe
KaZaA upload.exe
Porn.exe
Sex.exe
XboX Emulator.exe
PS2 Emulator.exe
XP update.exe
XXX Video.exe
Sick Joke.exe
Free XXX Pictures.exe
My naked sister.exe
Hallucinogenic Screensaver.exe
Cooking with Cannabis.exe
Magic Mushrooms Growing.exe
I-Worm_Gibe Cleaner.exe
If you have mIRC installed, W32/Gibe-D also creates a file called Script.ini
in your mIRC folder. This script is detected as mIRC/Simp-Fam.
The characteristics of the emails sent by W32/Gibe-D are variable but
typically the subject line and message text are as follows:
Subject line: FWD: See these security patch from Microsoft.
Message text:
"----- Original message follows -----
Microsoft User
this is the latest version of security update, the
"February 2003, Cumulative Patch" update which eliminates all
known security vulnerabilities affecting Internet Explorer,
Outlook and Outlook Express as well as five newly discovered
vulnerabilities. Install now to protect your computer from these
vulnerabilities, the most serious of which could allow an attacker to
run executable on your system. This update includes the functionality
of all previously released patches.
System requirements:
Win 9x/Me/2000/NT/XP
This update applies to:
Microsoft Internet Explorer, version 4.01 and later
Microsoft Outlook, version 8.00 and later
Microsoft Outlook Express, version 4.01 and later
Recommendation:
Customers should install the patch at the earliest opportunity.
How to install:
Run attached file. Click Yes on displayed dialog box.
How to use:
You don't need to do anything after installing this item.
Microsoft Technical Support is available at
http://support.microsoft.com/
For security-related information about Microsoft products,
please visit the Microsoft Security Advisor web site at
http://www.microsoft.com/security
Contact us at
http://www.microsoft.com/isapi/goregwiz.asp?target=/contactus/contactus.asp
Please do not reply to this message. It was sent from an unmonitored
e-mail address and we are unable to respond to any replies.
Thank you for using Microsoft products."
The attached file is usually called UPDATE???.EXE where ??? is a random
three-digit number.
