Nasty New Trojan Pretends to Be Offical Microsoft Security Update Message

Computer Associates ^ | 3/7/2002 | Staff

[ex-Texan]

Win32.Gibe trojan, worm

Win32/Gibe is a buggy mass-mailing worm that utilizes Microsoft Outlook and the SMTP to propagate.

The email pretends to be an official message from Microsoft Corp. carrying the latest version of a security update for Internet Explorer and MS Outlook/Express.

The attachment name is: q216309.exe

If the attachment is executed, the worm will drop 4 files into the Windows directory and execute them:

WinNetW.exe, BcTool.exe - mass-mailing components
GfxAcc.exe - Backdoor Trojan listening on port 12378
q216309.exe - copy of itself

A DLL is also dropped into the System Directory:
vtnmsccd.dll - copy of itself

The worm creates the file 02_N803.dat in the Windows directory to store any email addresses collected from the local system.

The following registry modifications are also made:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadDBackUp =
"C:\WINDOWS\BcTool.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\3Dfx Acc =
"C:\WINDOWS\GFXAcc.exe"

This will cause the backdoor trojan and the mass-mailing component to execute upon Windows startup.

Then the worm will wipe out your hard drive and its files !!

[upchuck]

Anyone running any of the popular virus detection software (Norton, McAfee, etc.) and keeping their virus definitions up to date won't have to worry about this. And bully for you if you're runing firewall software.

This also applies to virtually every virus 'alert' you see. Here or anywhere else.

[BJungNan]

The big question is "when is the last time anyone got a message from MS with an executable attachment?" I've never seen one myself.

The rule still applies...Never, ever open an attachement from anyone.

[Tennessee_Bob]

I have a policy. If I get an attachment from a stranger, it gets deleted. If I get one from a friend, I ask them if they sent it. If they say yes, I'll scan it and save it, if not, it gets deleted. My AV software scans anything I try to save, and if it barks, it gets deleted.

[upchuck]

Hi Sweetie. I gotchur virus right here. Oops!!

[JRandomFreeper]

CP/M RULES!

pip this. You just dated yourself. As punishment, load the boot-loader from the front panel.

/john

[afraidfortherepublic]

Filing at *tech_index

[afraidfortherepublic]

I don`t use Outlook, too many holes.

There is a free patch that seems to stop all this stuff. Really!

[ex-Texan]

I'm a Note Dame Law grad and loyal through and through. However, U.S.C. is a great university and they have great teams !

The U.S.C. babe is a cutie! Nuff said.

[Tennessee_Bob]

You just dated yourself.

Well, it's not like anyone else will...

[JRandomFreeper]

pip, cat, dir, and tip. I can't remember any more of the cp/m commands. Maybe I'm getting old. I do still have a copy of cp/m on a single-sided 128K 8" floppy. If you have a drive that will read it.

/john

[Libertina]

Hi WIMom. You are doing such a GREAT job! Thanks for all your hard work getting the word out and urging everyone to help support FRee Republic! Big BUMP to YOU!

[Libertina]

BTTT If you think that just $3 a month won't make a difference, or that it is embarassing ...
BTTT You are so right Mdna! I felt embarrassed at the thought of giving $5.00 - a one time gift.
But if all 80,000 registered FReepers gave JUST one $5.00 gift we would have
$ 400,000 !

[Fireone]

Please pass the Trojans!

[topher]

I am glad to see this as BREAKING NEWS.

Might save a few hard drives of some Freepers, and even some of the liberal hard drives.

After all, we want to know that these folks like Blumenthal has Child Porn or whatever on their computers when they get caught red handed (just a play on the DrudgeReport article on Blumenthal, Child Porn, and Little League. (Maybe most of these liberals are little leaguers...)

[b4its2late]

bttt

[Ernest_at_the_Beach]

I feel safer now!

Thanks!

Grin!

[supercat]

Well, it's not like anyone else will...

I just downloaded Turbo Pascal 3.0 for CP/M awhile ago to see if it would be usable for a Z80 project I'm working on. If ByteVar is a byte variable, depending upon whether the value in HL is needed, optimal code for "ByteVar:=ByteVar+1;" is either:

LD HL,ByteVar
INC (HL)

or

LD A,(ByteVar)
INC A
LD (ByteVar),A

Unfortunately, Turbo Pascal isn't quite so efficient:

LD HL,(ByteVar)
LD H,0
PUSH HL
LD HL,1
POP DE
ADD HL,DE
LD A,L
LD (ByteVar),A

I think I'll try looking at Turbo Pascal 3.0 for PC's code and see how that is. Many applications were developed on that platform, including the original Tetris.

[exDemMom]

Good heavens, you people remind me of NPR/PBS! Except that NPR/PBS save all the best stuff for when they're fundraising (and I don't give them money), while the Freep stuff is good all the time (and I just donated for the 2nd time).

[elfman2]

" CP/M RULES!"

Hey, you wouldn't happen to know off the top of your head where I could start looking for a program that would read a document written on a double sided double density 5&1/4 floppy disk on an old CPM Z80 machine computer using Perfect Writer?

It's no big deal, just a bunch of old college papers that I'd like to recover.

[DB]

You also need to look at the cycle count for the different ways of doing it (the first two ways…) to see which is really the most efficient time wise (if you care).