The W32/GIBE worm that went into effect Wednesday seems to have done very little damage, even though the worm posed as a security update from Microsoft.
The worm, known variously as W32/[email protected], WORM_GIBE.A, or W32/Gibe-A, is hidden within an “Q216309.exe” attachment in an email message from the “Microsoft Corporation Security Center”. The email does not originate from Microsoft. The worm installs a back-door Trojan application and attempts to replicate itself through Microsoft Outlook.
As of Friday, Symantec Corp. had found only three sites which had been infected by the virus, and ranked its geographics distribution as “low”. MessageLabs.com ranked the GIBE worm ninth among all active virii for the last 24 hours, well below the still-active SirCam.A worm, which still ranks first among the most active worms.
The message the worm sends reads, in part: “Microsoft Customer, this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities.” The email then advises the customer to open the “Q216309.exe” attachement to “fix” the security risks.
Upon doing so, the GIBE worm executable decompresses into several files; one, GfxAcc.exe, is a back-door Trojan that opens port 12378. The worm also modifies the system registry. The other files search the Microsoft Outlook database and other HTML., ASP, and .PHP files and attempt to send the original email to the new addresses, according to Symantec Corp., which has updated its LiveUpdate software to stop the worms progress.