=============================================
Win32.Gibe trojan, worm
=============================================

Win32/Gibe is a buggy mass-mailing worm that
utilizes Microsoft Outlook and the SMTP to
propagate.

The email pretends to be an official message
from Microsoft Corp. carrying the latest
version of a security update for Internet
Explorer and MS Outlook/Express.

The attachment name is:  q216309.exe

If the attachment is executed, the worm will
drop 4 files into the Windows directory
and execute them:

WinNetW.exe, BcTool.exe - mass-mailing components
GfxAcc.exe - Backdoor Trojan listening on port 12378
q216309.exe - copy of itself

A DLL is also dropped into the System Directory:
vtnmsccd.dll - copy of itself

The worm creates the file 02_N803.dat in the
Windows directory to store any email addresses
collected from the local system.

The following registry modifications are also made:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadDBackUp =
"C:\WINDOWS\BcTool.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\3Dfx Acc =
"C:\WINDOWS\GFXAcc.exe"

This will cause the backdoor trojan and the
mass-mailing component to execute upon Windows
startup.

The worm creates and uses the following key to
store some SMTP and other information:

HKLM\Software\AVTech\Settings

And leaves an ID:

HKLM\Software\AVTech\Settings\Installed = "... by Begbie"

=============================================