Virus Alert About the W32.Gibe@mm Worm Virus (319652)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 95
  • Microsoft Windows 98
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows Millennium Edition
  • Microsoft Windows NT Workstation 3.51
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server, Enterprise Edition 4.0
  • Microsoft Small Business Server 2000
  • Microsoft BackOffice Server 2000
  • Microsoft BackOffice Server 4.0
  • Microsoft BackOffice Server 4.5
  • Microsoft BackOffice Small Business Server 4.0
  • Microsoft BackOffice Small Business Server 4.5
This article was previously published under Q319652
This article discusses the W32.Gibe@mm virus that may affect the operation of your computer. The information in this article is provided as-is without warranty of any kind. Microsoft does not provide software to stop virus infections or to cure infected computers. You may want to contact an antivirus software manufacturer for more information about how to remove a virus from your computer and about how to prevent future infections. If your computer has been infected, it may be open to additional forms of attack. Microsoft recommends that you rebuild infected Internet-facing servers (servers that function without a firewall or other protection) by following the guidelines that are published on the CERT Web site. Microsoft also recommends that you rebuild any other computers that are at risk because of their proximity to infected computers before you place them back in service.

SUMMARY

The W32.Gibe@mm virus is a mass-mailing e-mail worm program that uses Microsoft Outlook as well as a built-in Simple Mail Transport Protocol (SMTP) engine to spread.

MORE INFORMATION

IMPORTANT: Microsoft does not distribute programs or updates by using e-mail messages.

The W32.Gibe@mm virus affects Outlook, Microsoft Outlook Express, and Web-based e-mail programs. This virus arrives in an e-mail message with the following characteristics:

From: Microsoft Corporation Security Center <rdquest12@microsoft.com>
To: Microsoft Customer <'customer@yourdomain.com'>
Subject: Internet Security Update
Attachment: q216309.exe

Microsoft Customer,

This is the latest version of security update, the "7 Mar 2002 Cumulative Patch" update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities, and is discussed in Microsoft Security Bulletin MS02-005. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run code on your computer.

Description of several well-know vulnerabilities:

- "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability. If a malicious user sends an affected HTML e-mail or hosts an affected e-mail on a Web site, and a user opens the e-mail or visits the Web site, Internet Explorer automatically runs the executable on the user's computer.

- A vulnerability that could allow an unauthorized user to learn the location of cached content on your computer. This could enable the unauthorized user to launch compiled HTML Help (.chm) files that contain shortcuts to executables, thereby enabling the unauthorized user to run the executables on your computer.

- A new variant of the "Frame Domain Verification" vulnerability could enable a malicious Web site operator to open two browser windows, one in the Web site's domain and the other on your local file system, and to pass information from your computer to the Web site.

- CLSID extension vulnerability. Attachments which end with a CLSID file extension do not show the actual full extension of the file when saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are simple, harmless files - such as JPG or WAV files - that do not need to be blocked.

System requirements:
Versions of Windows no earlier than Windows 95.

This update applies to:
Versions of Internet Explorer no earlier than 4.01
Versions of MS Outlook no earlier than 8.00
Versions of MS Outlook Express no earlier than 4.01

How to install
Run attached file q216309.exe

How to use
You don't need to do anything after installing this item.

For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below.
http://www.microsoft.com/windows/ie/downloads/critical/default.asp
If you have some questions about this article contact us at rdquest12@microsoft.com

Thank you for using Microsoft products.

With friendly greetings,
MS Internet Security Center.
----------------------------------------
----------------------------------------
Microsoft is registered trademark of Microsoft Corporation.
Windows and Outlook are trademarks of Microsoft Corporation.

In addition, the message contains an attached file that is named q216309.exe. The virus starts when you run this file.

Technical Details

Q216309.exe is a Microsoft Visual Basic program that completes the following operations when you start it:
  • Creates two copies of itself.
  • Starts the program component that propagates itself by using Outlook and SMTP.
  • Creates a Trojan horse program that opens port 12378 on the computer.
  • Creates a data file in which it stores all e-mail addresses from Outlook, as well as e-mail addresses in .htm, .html, .asp, .php files.

Prevention

Outlook 2002 and Outlook 2000 Service Pack 1 (SP1) include the functionality to block harmful e-mail attachments. By default, these programs are configured to block the opening of this file attachment.

If Outlook 98 and Outlook 2000 are not updated to SP1, they are vulnerable to this virus. However, the opening of harmful e-mail attachments can be blocked by installing the Outlook e-mail security update. For additional information about how to obtain and install this update, please visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=96DF48A9-7638-429E-816E-35F16F6528CA&displaylang=EN

Recovery

Microsoft does not provide software that can detect or remove computer viruses. If you suspect or confirm that your computer is infected with a virus, obtain current antivirus software. For a list of antivirus software manufacturers, click the following article number to see the article in the Microsoft Knowledge Base:

49500 List of Antivirus Software Vendors

Modification Type:MajorLast Reviewed:10/11/2006
Keywords:kbdownload kbenv kbinfo KB319652
©2004 Microsoft Corporation. All rights reserved.