If you get an Email called
Internet Security Patch
sent by :
Microsoft Corporation Network Tachnical Assistance
this is a Virus in the attachment
the Virus is called Gibe and is classified as as serious risk WORM
Here is a copy of the Email that I have recieved :
Code:
Microsoft Customer
this is the latest version of security update, the
"September 2003, Cumulative Patch" update which eliminates
all known security vulnerabilities affecting Internet Explorer,
Outlook and Outlook Express as well as five newly
discovered vulnerabilities. Install now to protect your computer
from these vulnerabilities, the most serious of which could allow
an attacker to run executable on your system. This update includes
the functionality of all previously released patches.
System requirements Win 9x/Me/2000/NT/XP
This update applies to Microsoft Internet Explorer, version 4.01 and later
Microsoft Outlook, version 8.00 and later
Microsoft Outlook Express, version 4.01 and later
Recommendation Customers should install the patch at the earliest opportunity.
How to install Run attached file. Click Yes on displayed dialog box.
How to use You don't need to do anything after installing this item.
Microsoft Product Support Services and Knowledge Base articles
can be found on the Microsoft Technical Support web site.
For security-related information about Microsoft products, please
visit the Microsoft Security Advisor web site, or Contact us.
Please do not reply to this message. It was sent from an unmonitored
e-mail address and we are unable to respond to any replies.
Thank you for using Microsoft products.
With friendly greetings,
Microsoft Corporation Network Technical Assistance
--------------------------------------------------------------------------------
©2003 Microsoft Corporation. All rights reserved. The names of the actual companies
and products mentioned herein may be the trademarks of their respective owners.
this came with an Unsigned Non Certified attachment which is against microsoft policy.
I ran this file with Housecalls Anti-virus from Trend micro.. this is the results of the file :
Code:
WORM_GIBE.B
Overview Technical Details Statistics
QUICK LINKS Solution
--------------------------------------------------------------------------------
Virus type: Worm
Destructive: Yes
Aliases: I-Worm.Gibe.b, Win32/Gibe.B@mm, W32/Gibe.B@mm, Win32.Gibe.B worm
Pattern file needed: 471
Scan engine needed: 5.200
Overall risk rating: Low
--------------------------------------------------------------------------------
Reported infections: Low
Damage Potential: High
Distribution Potential: High
--------------------------------------------------------------------------------
Description:
This worm propagates via email, shared folders using Kazaa, and via Internet Relay Chat applications such as mIRC. When propagating via email, it gets its recipients from email addresses listed in the Windows Address Book and addresses remotely retrieved from certain news servers.
This worm arrives in an email as a security patch from Microsoft. It sends email with a random subject, message body, and attachment name.
This malware works on Windows 95, 98, ME, NT, 2000, XP platforms. For more information, see technical details.
Solution:
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use the Trend Micro System Cleaner.
MANUAL REMOVAL INSTRUCTIONS
Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware program.
Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_GIBE.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.
Open Windows Task Manager.
On Windows 95, 98, or ME systems,
press CTRL+ALT+DELETE
On Windows NT, 2000, XP systems,
press CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
NOTE: On systems running Windows 95, 98, or ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>Run
In the right panel, locate and delete the following entry:
DxLoad = %Windows%\DX3DRndr.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Close Registry Editor.
NOTE: %System% is the Windows System folder, which is usually C:\Windows\System on Windows 9x and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.
Disabling Shared Malware Folder in Kazaa
Still in the registry editor, in the left panel, double-click the following:
HKEY_CURRENT_USER\Software\Kazaa\LocalContent
In the right panel, locate and delete the following:
Dir99 = 012345:<Windows temp folder>\<worm?s subfolder>
Close Registry Editor.
Deleting Malware Dropped Files
This procedure deletes files dropped by the malware that are considered to be harmless and are not to be detected by Trend Micro antivirus.
First, locate the dropped file.
On Windows 95, 98, or NT systems
Click Start>Find>Files and Folders.
In the Named input box, type:
WMSysDx.bin
In the Look In drop-down list, select the drive which contains Windows, then press Enter.
Windows 2000, ME, XP
Click Start>Search>For Files and Folders.
In the Search for files and folders named input box, type:
WMSysDx.bin
In the Look In drop-down list, select the drive which contains Windows, then press Enter.
When the file is found in the Windows folder usually C:\Windows or C:\WinNT depending on the version of Windows on your system, delete that file.
Do the same for the SCRIPT.INI file found in the mIRC folder.
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as WORM_GIBE.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.
This is just a public warning in order to help protect your PC systems.
Topic: PC Virus Alert !!! Disguised as Microsoft Update !!! (Read 1138 times)