Effects
Gibe.C has the following effects:
It ends processes belonging to several antivirus programs,
firewalls and system monitoring tools. This leaves the affected computer vulnerable to the attack of other
viruses and
worms.
For further information on the processes it ends, click
here.
If it does not find any information in order to spread via e-mail, it displays a message that attempts to trick the user into giving confidential information, as e-mail address, mail account
password, name of the mail
server, etc.
Infection strategy
Gibe.C creates the following files in the Windows directory:
Gibe.C creates several files in a folder with a random name that it creates in the Windows temporary directory. These files are copies of the worm, or compressed files in ZIP format that contain a copy of the worm. The random names of these files follow the patterns below:
- It chooses names from a list incorporated in its code:
10.000 SERIALS
AOL HACKER
COOKING WITH CANNABIS
EMULATOR PS2
HALLUCINOGENIC SCREENSAVER
HARDPORN
HOTMAIL HACKER
JENNA JAMESON
MAGIC MUSHROOMS GROWING
MY NAKED SISTER
SEX
SICK JOKE
VIRUS GENERATOR
XBOX EMULATOR
XP UPDATE
XXX PICTURES
XXX VIDEO
YAHOO HACKER - Or it could make combinations (List 1 + List 2 or List 3 + List 4) with words from the following lists:
List 1:
BUGBEAR, GIBE, KLEZ, SIRCAM, SOBIG, YAHA
List 2:
CLEANER, FIXTOOL, REMOVAL TOOL, REMOVER
List 3:
DOWNLOAD ACCELERATOR, GETRIGHT FTP, KAZAA, KAZAA LITE, KAZAA MEDIA DESKTOP, MIRC, WINAMP, WINDOWS MEDIA PLAYER, WINRAR, WINZIP
List 4:
HACK, HACKED, INSTALLER, KEY GENERATOR, UPLOAD, WAREZ
Gibe.C creates the following entries in the Windows Registry:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion \Run
%ENTRY% = %NAME%.EXE autorun
where %ENTRY% is the random name of the entry (up to 8 random characters) and %NAME% is the random name of the file created in the Windows directory.
By creating this entry, Gibe.C ensures that it is run whenever Windows is started.
Gibe.C modifies the following entries in the Windows Registry:
- HKEY_CLASSES_ROOT\ batfile\ shell\ open\ command
(Default) = %NAME%.EXE "%1" %* - HKEY_CLASSES_ROOT\ comfile\ shell\ open\ command
(Default) = %NAME%.EXE "%1" %* - HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command
(Default) = %NAME%.EXE "%1" %* - HKEY_CLASSES_ROOT\ piffile\ shell\ open\ command
(Default) = %NAME%.EXE "%1" %* - HKEY_CLASSES_ROOT\ scrfile\ shell\ config\ command
(Default) = %NAME%.EXE "%1" - HKEY_CLASSES_ROOT\ scrfile\ shell\ open \command
(Default) = %NAME%.EXE "%1" /S
By modifying these entries, Gibe.C is run whenever a file with a BAT, COM, EXE, PIF or SCR extension is opened. - HKEY_CLASSES_ROOT\ regfile\ shell\ open\ command
(Default) = %NAME%.EXE showerror
By modifying this entry, it does not allow to restore the Windows Registry by means of a file with a REG extension. Then, it displays the following error message:
Means of transmission
Gibe.C spreads via e-mail, through the peer-to-peer (P2P) file sharing program KaZaA, across shared network drives and via IRC and newsgroups.
1.- Transmission via e-mail.
When Gibe.C spreads via e-mail, it uses different kinds of messages, each one with distinct characteristics:
Message type 1:
A message with HTML format that perfectly imitates the style of Microsoft web pages, in order to trick the user into thinking that the attached file is a security patch.
Sender:
It is fictitious and made of a combination of words from the following lists:
MS, Microsoft
Corporation, Program, Internet, Network, Security
Division, Section, Department, Center, Technical, Public, Customer
Bulletin, Services, Assistance, Support
For example: MS Technical Assistance
The address is also fictitious, and it is made of a combination of words that follow the pattern below:
Random text + @ + Word from list 1 + (. + Word from list 2) + domain
List 1: support, technet, updates, advisor, confidence, bulletin, new, newsletter
List 2: ms, msdn, msn, microsoft
domain: com or net
For example: kadjfoie@technet.msdn.com
Subject:
It is made of a combination of words from the following lists:
Current, Newest, Last, New, Latest
Net, Network, Microsoft, Internet
Security, Critical
Patch, Update, Pack, Upgrade
Message:
Variable. The following is only an example:
List 1: MS, Microsoft
List 2: User, Partner, Customer, Client
List 3: eliminates, resolves, fixes
List 4: newly discovered, new
Phrase 1: continue keeping your computer secure
Phrase 2: help
Phrase 3: protect your computer
Phrase 4: maintain the security of your computer
Phrase 5: from these vulnerabilities
Phrase 6: the most serious of which could allow an attacker/malicious user to run executable/code on your system/computer
The message is made by a combination of words from the above lists.
Word from List 1 + Word from List 2
This is the latest version of security update, the “%system month & year%, Cumulative Patch" update which Word from List 3 all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three Word from List 4 vulnerabilities.
Install now to Combination of Phrases: 1+5, 1+5+6, 2+3, 2+3+5, 2+3+5+6, etc. This update includes the functionality of all previously released patches.
Attachments:
The attached file always has an EXE extension, and its name has the following pattern:
Word + random number, selecting one word from the list: Q, Installer, Installation, Install, Update, Upgrade, Patch, Pack.
Message type 2:
It pretends to be an error message due to a delivery failure.
Sender:
It can be the original, one of the following: Admin, Administrator, Postmaster, or a combination of words: Delivery, Email, Inet, Internet, Mail, Message, Net, Network, Service, Storage, System.
The address follows the pattern:
Letter + Word from list 1 + Word from list 2 + @ + Word from list 3 + . + domain.
Letter: a letter from A to Z, not always included.
List 1: email, mail, mailer, master, post, smtp, web
List 2: automat, bot, daemon, engine, form, program, robot, routine, service
List 3: America, AOL, bigfoot, freemail, microsoft, netmail, puremail, rocketmail, yahoo
Domain: com, net
For example: apostdaemon@netmail.net
Subject:
It follows one of the following patterns:
List 1 + List 2
List 1: abort, bug, error, failure
List 2: advice, announcement, letter, message, notice, report
For example: failure report
or it could also be: List 3 + List 4 + : + List 5
List 3: returned, undelivered, undeliverable
List 4: mail, message
List 5: returned to Sender, returned to Mailer, user unknown
For example: undelivered message: user unknown
Message:
It is a compound of the following phrases:
Phrase 1: I'm afraid, I'm sorry to have to inform you that, I'm sorry, I wasn't able to deliver your message
Phrase 2: the message returned below could not be delivered
Phrase 3: to the following addresses, to one or more destinations
Phrase 4: undeliverable, undelivered
Phrase 5: message, mail
Phrase 6: to %email%, where %email% is a random mail address from the domains America, AOL, bigfoot, freemail, microsoft, netmail, puremail, rocketmail, yahoo and a com or net suffix.
Phrase 7: message follows
Attachments:
It has a random name and an EXE, COM, SCR, BAT or PIF extension.- Message type 3:
Some variants change the original messages:
- The links to Microsoft's website are changed for links to an Italian Internet service provider (it changes the web site accessed, but not the text of the link).
- The text that preceeds the system requirements table is changed to Questo programma consente al vosto PC.
- It changes Microsoft for an Italian Internet service provider, and the name Renato.
Some examples of these variants follow:
Example 1:
RENATO SORU FOR PRESIDENT THE BEST GUIDE IN SARDINIA OF ULIVO
RENATO SORU THE BEST web site.
http://WWW.TISCALINET.IT/
VOTA RENATO SORU VOTA RENATO SORU DAL SUPERMARKET AD INTERNET !!!
visit the Microsoft Security Advisor web site
http://www.tiscalinet.iT/security/
Thank you for VOTE RENATO SORU PRESIDs.
Please VOTE RENATO SORU message.
It was sent from an unmonitored e-mail address and we are unable to respond to any replies.
----------------------------------------------
I NOMI DELLE VOSTRE MOGLI SONO ARCHIVIATI PRESSO LA TISCALI PER GARANTIRLE UNA VITA SERENA E NEL COMUNISMO !!!!!.
Example 2:
tiscali SEX SERVICES PORN Services and Knowledge Base articles
can be found on the Microsoft Technical Support web site.
http://support.microsoft.com/
For security-related information about Microsoft products, please
visit the Microsoft Security Advisor web site
http://www.microsoft.com/security/
Thank you for using Microsoft products.
Please do not reply to this message.
It was sent from an unmonitored e-mail address and we are unable to respond to any replies.
----------------------------------------------
The names of the actual companies and products mentioned
herein are the trademarks of their respective owners.
The computer is affected when the user opens the attached file or views the message through the Preview Pane.
Gibe.C searches for e-mail addresses in files with an EML, WAB, DBX or MDX extension, and sends itself out to all the addresses it has gathered, using its own engine.
2.- Transmission through KaZaA.
Gibe.C follows the routine below:
- It makes copies of itself to the shared directories of the peer-to-peer (P2P) file sharing program KaZaA.
It chooses names from a hard-coded list:
10.000 SERIALS
AOL HACKER
COOKING WITH CANNABIS
EMULATOR PS2
HALLUCINOGENIC SCREENSAVER
HARDPORN
HOTMAIL HACKER
JENNA JAMESON
MAGIC MUSHROOMS GROWING
MY NAKED SISTER
SEX
SICK JOKE
VIRUS GENERATOR
XBOX EMULATOR
XP UPDATE
XXX PICTURES
XXX VIDEO
YAHOO HACKER
or it could make word combinations (List 1 + List 2 + List 3 + List 4):
List 1: BUGBEAR, GIBE, KLEZ, SIRCAM, SOBIG, YAHA
List 2: CLEANER, FIXTOOL, REMOVAL TOOL, REMOVER
List 3: DOWNLOAD ACCELERATOR, GETRIGHT FTP, KAZAA, KAZAA LITE, KAZAA MEDIA DESKTOP, MIRC, WINAMP, WINDOWS MEDIA PLAYER, WINRAR, WINZIP
List 4: HACK, HACKED, INSTALLER, KEY GENERATOR, UPLOAD, WAREZ Other users of these programs can access the shared directories. These users can then download these files to their computers, thinking that they are useful computer programs, movies, etc. However, these users will actually download a copy of the worm.
When the downloaded file is run, these computers will be infected by Gibe.C.
3.- Transmission accross shared network drives.
Gibe.C follows the routine below:
- It checks if the affected computer belongs to a network.
- It attempts to access the shared network drives.
- If successful, it copies itself to the StartUp directory of the shared drives.
4.- Transmission via IRC.
Gibe.C follows the routine below:
- It only uses this method if the program mIRC is installed.
- It waits until the user joins an IRC chat channel.
- Then, it sends a copy of itself to all the users connected to the channel at that moment.
5.- Transmission via newsgroups (NNTP).
Gibe.C attempts to connect to several servers, listed in the file SWEN1.DAT, in order to spread to all the e-mail addresses contained in the file GERMS0.DBV.
Further Details
Gibe.C is written in the programming language Visual C++. This worm is 106,496 bytes in size.
The variations that have appeared are 52,224 bytes in size, and are compressed with UPX.