The W32/Gibe@MM Virus Masquerades as Email From Microsoft

This information can be freely reproduced in any medium, as long as the information is unmodified.

The W32/Gibe@MM virus attempts to spread by fooling its recipient into thinking that it is email from Microsoft. It purports to contain a "security update patch" in a file named q216309.exe. Of course, if the reader is careless enough to open the attachment, the virus will attempt to infect, and then send itself out to others from the new victim's computer.

• This virus infects only Windows platforms; Macintosh and other operating systems are not vulnerable. Other operating systems may see plenty of email from this, of course, but it cannot infect those computers.

• The virus has been recognized by U-M's site licensed antivirus product for Windows platforms, VirusScan, since the release of its 4189 drivers. These drivers were available here since 06 March, 2002, before W32/Gibe became prevalent. Those who are using our U-M configuration of VirusScan should have been protected automatically, within an hour or two of the drivers going on-line here.

• Many of the attachments sent out by the virus are sterile; this reduces the threat at U-M even more. The 4190 drivers, released 13 March, 2002, recognize some of these corrupted variants, and identifies them as W32/Gibe.dam. Future drivers will surely recognize more of these corrupted, sterile variants.

• Microsoft never sends out attachments. They do point to their web site for patches, though; I recommend checking their web site by browsing directly, typing in the link manually: otherwise, a virus or other malicious email might try to "spoof" the URL.

• Just a note: Those who have been reading our pages for years and following our Never open unsolicited attachments, not even when they appear to be from someone you know and trust will, of course, not have been at risk.

If you have reason to think that you may have been infected by W32/Gibe@MM and you are a U-M member, contact us for assistance. If you may be infected but are not a U-M member, contact your internal support, or contact your antivirus vendor for assistance.

Here is the beginning of the text sent by the virus:

      From: "Microsoft Corporation Security Center" <rdquest12@microsoft.com>
      To: "Microsoft Customer" <'customer@yourdomain.com'>
      Subject: Internet Security Update
      Reply-To: <rdquest12@microsoft.com>
      Date: [whatever -BPB]

      Microsoft Customer,

            this is the latest version of security update, the
      known security vulnerabilities affecting Internet Explorer and
      MS Outlook/Express as well as six new vulnerabilities, and is
      discussed in Microsoft Security Bulletin MS02-005. Install now to
      protect your computer from these vulnerabilities, the most serious
      of which could allow an attacker to run code on your computer.

etc.

We have seen several cases where this message was not spread by the virus; instead, it was sent by well-meaning but misguided individuals, trying to be Good Samaritans. Please do not forward this -- or any other virus warning or hoax -- to all your friends.

Instead, you should

• Delete the email or

• Contact the victim or

• Contact the person who forwarded it, if it wasn't sent by the virus or

• Send it to us, as a last resort.
  If you do that, be certain to include full email headers; otherwise you're wasting your time, and ours. For info on how to send full headers, see e.g., SpamCop's Email Header FAQ (leaving our site). Be sure to include the email body and any attachments, too: we need to whole package so that we can handle things properly.

   -BPB