I received a Gibe.B -zipped

[Gabriele Neukam]

Hi all,

again I am sent something I cannot identify. It might be a genuine
Gibe.B, as my AntiVir and Kaspersky'y online scanner do suggest, but
this time the attachment was

"update.zip"

I had to unpack the archive in order to scan it. Did the Gibe.B coder
copy the successful method by which Sobig.E does go below the
AntiVirusScanner radar, or was this done by purpose? The latter doesn't
seem to be too probable, as the collection of adresses that I found in
the header doesn't look like a human being picked them, including
several addresses which look quite invalid.

Confused,


Gabriele Neukam

(e-mail address removed)

 

[FromTheRafters]

Hi all,

again I am sent something I cannot identify. It might be a genuine
Gibe.B, as my AntiVir and Kaspersky'y online scanner do suggest, but
this time the attachment was

"update.zip"

I had to unpack the archive in order to scan it. Did the Gibe.B coder
copy the successful method by which Sobig.E does go below the
AntiVirusScanner radar, or was this done by purpose? The latter doesn't
seem to be too probable, as the collection of adresses that I found in
the header doesn't look like a human being picked them, including
several addresses which look quite invalid.

According to the Symantec write-up, it is one
of the normal extensions used by Gibe.b and c.

=====

W32.Gibe.B@mm is a variant of W32.Gibe@mm. This mass-mailing
worm uses Microsoft Outlook and its own SMTP engine to send itself
to all the contacts in the Microsoft Outlook Address Book and the
Windows Address Book. The email is disguised as a Microsoft Security
Update and it arrives with an attachment that has a .exe or .zip file extension.

=====

 

[John Coutts]

According to the Symantec write-up, it is one
of the normal extensions used by Gibe.b and c.

=====

W32.Gibe.B@mm is a variant of W32.Gibe@mm. This mass-mailing
worm uses Microsoft Outlook and its own SMTP engine to send itself
to all the contacts in the Microsoft Outlook Address Book and the
Windows Address Book. The email is disguised as a Microsoft Security
Update and it arrives with an attachment that has a .exe or .zip file extension.

**************** REPLY SEPARATER ****************
A virus can use any extension it wants to (including multiples), but I have
never seen a virus yet that can generate a real ZIP file of itself before
sending it out. Just another indicator that these are deliberate attempts to
seed the virus. All the files I have are identical, including the unzipped one.

In an attempt to find out where the sending computer was getting the mail lists
from, I sent explanatory emails to about 60 names on one of the lists. As I
suspected, only 16 were undeliverable, and those 16 were typical of names used
by some News Group users to prevent being added to Spam lists (don't worry,
they are not real). These mailing lists do not look like they came from an
address book which tend to be somewhat organized.

------------- UNDELIVERABLE ---------------
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<"jhphillips180.insert."@hotmail.com>
<[email protected]>
<[email protected]>

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on Thu, 24 Jul

But from some of the write-ups I have read, .zip *is* one of the
worm generated extensions, and in the case of Gibe.c *might* even
be a compressed file.

Open in your favorite text viewer or notepad and see if the first two
characters are "PK"

Bart