Dear All: Here is the latest alert issued today. It's a Level Three Alert. Note that this worm looks like it's coming from Microsoft with instructions to install. One of the Security houses also found that a version of this could be executed without activating the attachment. So download your AV patches ASAP. If the virus can activate without execution of the attachment then the thought that you are protected by not executing attachments is false. Note that these virus are not being transmitted through Rootsweb but are coming from people that you know and have your address in their email program. Best Regards John A Hansen List Admin W32.Gibe@mm Discovered on: March 4, 2002 Last Updated on: March 11, 2002 at 07:17:27 AM PST Due to an increased rate of submissions Symantec Security Response has upgraded the threat rating of W32.Gibe@mm from Category 2 to Category 3 as of March 11, 2002. W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP engine to spread. This worm arrives in an email message--which is disguised as a Microsoft Internet Security Update--as the attachment Q216309.exe. Also Known As: W32/Gibe@mm, WORM_GIBE.A, W32/Gibe-A Type: Trojan Horse, Worm Infection Length: 122,880 bytes Virus Definitions (Intelligent Updater): March 5, 2002 Virus Definitions (LiveUpdateTM): March 6, 2002 Threat Assessment: Damage: Payload: Large scale e-mailing: Sends to addresses found in Microsoft Outlook Address book and by searching of .htm, .html, .asp, and .php files. Compromises security settings: Installs a Backdoor Trojan which allows remote access to the infected system Distribution: Subject of email: Internet Security Update Name of attachment: Q216309.exe Size of attachment: 122,880 bytes Ports: 12378 Technical description: The fake message, which is not from Microsoft, has the following characteristics: From: Microsoft Corporation Security Center Subject: Internet Security Update Message: Microsoft Customer, this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities . . . How to install Run attached file q216309.exe How to use You don't need to do anything after installing this item. . . . Attachment: Q216309.exe The attached file, Q216309.exe, is written in Visual Basic; it contains other worm components inside itself. When the attached file is executed, it does the following: It creates the following files: \Windows\Q216309.exe (122,880 bytes). This is the whole package containing the worm. \Windows\Vtnmsccd.dll (122,880 bytes). This file is the same as Q216309.exe. \Windows\BcTool.exe (32,768 bytes). This is the worm component that spreads using Microsoft Outlook and SMTP. \Windows\GfxAcc.exe (20,480 bytes). This is the Backdoor Trojan component of the worm that opens port 12378. \Windows\02_N803.dat (size varies). This is the data file that the worm creates to store email addresses that it finds. \Windows\WinNetw.exe (20,480 bytes). This is the component that searches for email addresses and writes them to 02_N803.dat. NOTE: Norton AntiVirus detects all of these files as W32.Gibe@mm except the 02_N803.dat. file, which contains only data. Finally, BcTool.exe attempts to send the \Windows\Q216309.exe file to email addresses in the Microsoft Outlook address book, and to addresses that it found in .htm, .html, .asp, and .php files and wrote to the 02_N803.dat file.