Virus name: Gibe   (also known as W32/Gibe@mm, WORM_GIBE.A, and W32/Gibe-A).
Example:[Collected on the Internet, 2002]
From: Microsoft Corporation Security Center
To: Microsoft Customer <'email@example.com'>
Subject: Internet Security Update
this is the latest version of security update, the "4 Mar 2002 Cumulative Patch" update which eliminates allknown security vulnerabilities affecting Internet Explorer andMS Outlook/Express as well as six new vulnerabilities, and isdiscussed in Microsoft Security Bulletin MS02-005. Install now toprotect your computer from these vulnerabilities, the most serious of whichcould allow an
attacker to run code on your computer.
Description of several well-know vulnerabilities:
- "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability.
If a malicious user sends an affected HTML e-mail or hosts an affectede-mail on a Web site, and a user opens the e-mail or visits the Web site,Internet Explorer automatically runs the executable on the user's computer.
- A vulnerability that could allow an unauthorized user to learn the location of cached content on your computer. This could enable the unauthorized user to launch compiled HTML Help (.chm) files that contain shortcuts to executables, thereby enabling the unauthorized user to run the executables on your computer.
- A new variant of the "Frame Domain Verification" vulnerability could enable amalicious Web site operator to open two browser windows, one in the Web site'sdomain and the other on your local file system, and to pass information fromyour computer to the Web site.
- CLSID extension vulnerability. Attachments which end with a CLSID file extensiondo not show the actual full extension of the file when saved and viewed withWindows Explorer. This allows dangerous file types to look as though they are simple,harmless files - such as JPG or WAV files - that do not need to be blocked.
Versions of Windows no earlier than Windows 95.
This update applies to:
Versions of Internet Explorer no earlier than 4.01
Versions of MS Outlook no earlier than 8.00
Versions of MS Outlook Express no earlier than 4.01
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below.
If you have some questions about this article contact us at firstname.lastname@example.org
Thank you for using Microsoft products.
With friendly greetings,
MS Internet Security Center.
Microsoft is registered trademark of Microsoft Corporation.
Windows and Outlook are trademarks of Microsoft Corporation.
how used we are to seeing real security warnings about Microsoft Internet Explorer and Microsoft Outlook, it was only a matter of time before someone disguised a virus as one.
The message quoted above is not a real Microsoft security warning. The q216309.exe file attached to it is a worm which will, when executed, send mail to addresses found in Microsoft Outlook's address book (and addresses found in any locally stored .htm, .html, .asp, and .asp files) as well as installing a trojan horse which allows remote access to the infected system. (McAfee reports that "the worm was buggy, and did not successfully use Outlook to spread," however.)
See the links below for more information on how to detect and remove Gibe.
W32.Gibe@mm (Symantec Security Response)
W32/Gibe@MM (McAfee Virus Information Library)
Bogus Microsoft Security Update E-Mail Is Actually a Virus (Associated Press)
David Mikkelson founded snopes.com in 1994, and under his guidance the company has pioneered a number of revolutionary technologies, including the iPhone, the light bulb, beer pong, and a vaccine for a disease that has not yet been discovered. He is currently seeking political asylum in the Duchy of Grand Fenwick.
Thank you for writing to us! Although we receive hundreds of e-mails every day, we really and truly read them all, and your comments, suggestions, and questions are most welcome. Unfortunately, we can manage to answer only a small fraction of our incoming mail.
Our site covers many of the items currently being plopped into inboxes everywhere, so if you were writing to ask us about something you just received, our search engine can probably help you find the very article you want.
Choose a few key words from the item you're looking for and click here to go to the search engine.
(Searching on whole phrases will often fail to produce matches because the text of many items is quite variable, so picking out one or two key words is the best strategy.)
We do reserve the right to use non-confidential material sent to us via this form on our site, but only after it has been stripped of any information that might identify the sender or any other individuals not party to this communication.