This is a special alert from The Funny/Alerts Newsletter.

===
CYBERSPACE ALERT:

Name: Worm/Gibe
Alias: Win32.Gibe@mm
Type: Internet Worm
Discovered: 03-04-2002
Size: ~122.9KB

Description:
Worm/Gibe is an Internet worm that attempts to spread through e-mail by using addresses it collects in the Microsoft Outlook Address Book. It disguises itself as a legitimate Microsoft Security Update. The worm would arrive through e-mail in the following format:

Subject: I thought you find this useful - Microsoft Security Update

Body: Microsoft Customer,

This is the latest version of security update...

Attachment: q216309.exe

However, in the background it copies the following files in the \windows\ directory under the filenames "BCTOOL.EXE" (worm part), "Q216309.EXE", "02_N803.DAT" (stores the retrieved email addresses), "GFXACC.EXE" (dropped trojan), and "WINNETW.EXE" (retrieves email addresses). So that it gets run each time a user restart their computer the following registry key gets added:

Worm Part:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 
LoadDBackUp=C:\Windows\BcTool.exe

Trojan Part:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 
3Dfx Acc=C:\Windows\GFXacc.exe 

After the fake MS Security Update is applied a user will see the following screen:

Like other trojans, the dropped backdoor (GFXACC.EXE) would potentially allow someone with malicious intent backdoor access to your computer. Additionally, in order to gather the needed information for replication the following registry directory is created with the dropped registry keys:

Directory:
HKEY_LOCAL_MACHINE\Software\AVTech 

Keys:
HKEY_LOCAL_MACHINE\Software\AVTech\Settings 
Installed= ...by Begbie
Default=(default information)

===
What our lawyers make us say:

THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

Disclaimer of warranties and limitation of liability This information is provided on an "AS IS" and "AS AVAILABLE" basis. We make no representations or warranties of any kind, express or implied, as to the information, content, materials, or products included, or mentioned within this information bulletin. You expressly agree that your use of this information is at your sole risk. The user assumes the entire risk as to the accuracy and the use of this document.

To the full extent permissible by applicable law, we disclaim all warranties, express or implied, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose and freedom from infringement. We do not warrant that this information is accurate. We also will not be liable for any damages of any kind arising from the use of this information, including, but not limited to direct, indirect, incidental, punitive, and consequential damages.

Certain state laws do not allow limitations on implied warranties or the exclusion or limitation of certain damages. If these laws apply to you, some or all of the above disclaimers, exclusions, or limitations may not apply to you, and you might have additional rights.

[Copyrights and Trademarks] FunnyAlert, The Peer Group and The Peer Group, Unlimited are trademarks of The Peer Group, Unltd. All other trademarks, trade name and product names are property of their respective owners. Copyright 1999, 2000, 2001, 2002 The Peer Group, Unltd. All rights reserved. 

.