You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Download Cloud Antivirus Gratis

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Gibe.C

 
Threat LevelHigh threatDamageSevereDistributionNot widespread
Common name:Gibe.C
Technical name:W32/Gibe.C.worm
Threat level:Medium
Alias:W32/Swen,
Type:Worm
Effects:  It ends processes belonging to antivirus, programs and system monitoring tools, and disables the Windows Registry Editor.

Affected platforms:

Windows 2003/XP/2000/NT/ME/98/95

First detected on:Sept. 18, 2003
Detection updated on:Sept. 21, 2009
StatisticsNo
Yes, using TruPrevent Technologies

Brief Description 

    

Gibe.C is a worm that spreads via e-mail, through the peer-to-peer (P2P) file sharing program KaZaA, across shared network drives and via IRC and newsgroups.

When Gibe.C spreads via e-mail, it can reach the computer in a message with HTML format that perfectly imitates the style of Microsoft web pages, in order to trick the user into thinking that the attached file is a security patch, or it could also reach the computer in a message that simulates to be a failure in the delivery of an e-mail sent by the user.

In addition, Gibe.C attempts to exploit the iFrame and Incorrect MIME Header vulnerabilities. The attached file is automatically activated when the message is viewed through Outlook’s Preview Pane.

Gibe.C ends processes belonging to several antivirus programs, firewalls and system monitoring tools. This leaves the affected computer vulnerable to the attack of other viruses and worms.

Gibe.C disables the Windows Registry Editor. In addition, if Gibe.C does not find information in order to spread via e-mail, it displays a message that attempts to trick the user into giving confidential information, as e-mail address, mail account password, name of the mail server, etc.

Visible Symptoms 

    

Gibe.C is easy to recognize, as it can reach the computer in an e-mail message that has HTML format and perfectly imitates the style of Microsoft web pages, in order to trick the user into thinking that the attached file is a security patch:

When the attached file is run, a series of windows are displayed, which simulate the installation of the supposed patch. However, these screens actually cover up the actions that the worm is carrying out.



Note: some variations have appeared, that display the following text in the message above:
This will install Tiscali VideoChat Update

Regardless of the option that the user chooses, the worm will activate and carry out its actions. If the user pushes the Yes button, it continues with the supposed installation process:



After a while, if Gibe.C does not find any information in order to spread via e-mail, it displays the following error message on screen, which attempts to trick the user into giving confidential information: