This alert is being generated due to an increased level of samples in the wild. The following has been derived from information provided by NAI, Sophos, Symantec and Trend.

Virus Characteristics

W32/Gibe-A is a worm which spreads attached to an email which appears to come from Microsoft, as a Microsoft Security Update patch. The email will have the following characteristics:

Subject line: Internet Security Update
Attached file: q216309.exe

Message text: Microsoft Customer,
this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities
.
.
.
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
.
.
.

Once executed, the worm retrieves the default Internet Account details from the Registry, and creates the following keys, writing this data there:

It creates the following files:

\Windows\Q216309.exe (122,880 bytes). This is the whole package containing the worm.
\Windows\Vtnmsccd.dll (122,880 bytes). This file is the same as Q216309.exe.
\Windows\BcTool.exe (32,768 bytes). This is the worm component that spreads using Microsoft Outlook and SMTP.
\Windows\GfxAcc.exe (20,480 bytes). This is the Backdoor Trojan component of the worm that opens port 12378.
\Windows\02_N803.dat (size varies). This is the data file that the worm creates to store email addresses that it finds.
\Windows\WinNetw.exe (20,480 bytes). This is the component that searches for email addresses and writes them to 02_N803.dat.

Next, the worm then adds the following values to the Run key in the registry:

LoadDBackUp C:\Windows\BcTool.exe
3Dfx Acc C:\Windows\GFXACC.exe

The worm also creates the key: HKEY_LOCAL_MACHINE\Software\AVTech\Settings

Installed ... by Begbie
Default Address <Default Email Address>
Default Server <Default Server>


The worm executes the WINNETW.EXE file to scan email addresses and saves these to a %windows%\02_N803.DAT file. Upon restarting the machine, BcTool.EXE runs, mailing the worm to all the email addresses listed in 02_N803.DAT, using the default SMTP server. After sending the worm to all the email addresses, the worm deletes the file %windows%\02_N803.DAT.

The final component of this worm, GFXACC.EXE, is a backdoor Trojan, opening port 12378 on the infected machine. This component is detected as BackDoor-ABJ by the indicated DATs.


Payload

Addition of the following files to the Windows directory:

Q216309.exe, Vtnmsccd.dll, BcTool.exe, GfxAcc.exe, 02_N803.dat, WinNetw.exe

Addition of the "HKEY_LOCAL_MACHINE\Software\AVTech\Settings" Registry key.


Preventative Measures

Block attachments named q216309.exe at the messaging gateway where possible.


Fixes Available

Network Associates: DAT 4189
Symantec: Definitions dated March 6, 2002 or later
Trend: Pattern file 234