eMail worm pretends to be an MS security update

eMail worm pretends to be an MS security update

There is another email worm in circulation. It spreads via email using the addresses found in the Microsoft Outlook address book. His name is Worm/Gibe and he poses as an official Microsoft security update.

The subject of the wormy email is: 'Microsoft Security Update'. The worm contains the following message as a message:

Microsoft Customer,

This is the latest version of security update ...

Attachment: q216309.exe

If you install the supposed update, the virus is anchored in the system. It copies the following files into the Windows or Winnt directory: BCTOOL.EXE, Q216309.EXE, 02_N803.DAT, GFXACC.EXE. In addition, the following entries are added to the registry, which cause the virus and the associated trojan to be loaded at system start:

  • Virus: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunLoadDBackUp = C: WindowsBcTool.exe
  • Trojan: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun3Dfx Acc = C: WindowsGFXacc.exe

The path information can of course vary depending on the Windows installation directory.

After the alleged security update, the unsuspecting user sees the following message:

Like other trojans, the dropped backdoor (GFXACC.EXE) would potentially allow someone with malicious intent backdoor access to your computer. Additionally, in order to gather the needed information for replication the following registry directory is created with the dropped registry keys:

Directory: HKEY_LOCAL_MACHINESoftwareAVTech

Keys: HKEY_LOCAL_MACHINESoftwareAVTechSettings Installed = ... by Begbie Default = (default information)

What information the Trojan spies on the affected computer to whom it is transmitting is currently unknown.