|Place of Origin||Slovakia|
|Source Language||Visual Basic|
|Infection Length||122,880 bytes|
Gibe comes in an email which appears to be from Microsoft, with a sender line of "Microsoft Corporation Security Center". The attachment containing the worm is named Q216309.exe. The subject line is "Internet Security Update". The body of the email is:
Microsoft Customer, this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities . . . How to install Run attached file q216309.exe How to use You don't need to do anything after installing this item.
It installs several files to the Windows folder, including Q216309.exe and Vtnmsccd.dll (two copies of the original attachment), BcTool.exe (component that helps the worm spread through Outlook), WinNetw.exe (searches for email addresses), 02_N803.dat (stores email addresses) and GfxAcc.exe (a backdoor that opens port 12378). Gibe will then attempt to install itself in the start menu startup folder of all mapped drives.
Gibe adds the files BcTool.exe and GfxAcc.exe as values to the local machine run key. It creates the key HKEY_LOCAL_MACHINE\Software\AVTech\Settings and adds the following strings as values:
- Installed … by Begbie
- Default Address (Default Email Address)
- Default Server (Default Server)
It looks for email addresses in the Address book, as well as ones it finds in .htm, .html, .asp, and .php files, and writes them to the 02_N803.dat file. BcTool.exe sends the file Q216309.exe to all addresses it finds on the computer in an email like the one it came in.
Gibe produced a small number of variants. Swen was named Gibe.F, because of its many similarities to Gibe, including that it comes from the same creator, presumably going by the name Begbie.
While Swen made it to the very top of the virus/worm charts, few other Gibe variants even charted. Gibe.A made it to number 10 in late spring of 2002.
Gor Nazaryan. Symantec.com, W32.Gibe@mm. 2007.02.13
John Leyden. The Register, Nasty worm poses as MS security update. 2003.09.19
-. -, Klez-H tops virus charts – again. 2003.05.31