Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


BCTOOL PROCESS INFORMATION

Process Name  : BcTool.exe

Process Path : %WINDOWS%\BcTool.exe [ C:\Windows\BcTool.exe ]

Process type    : Internet Worm

Malware Name : W32.Gibe.A@mm

Alias             : I-Worm.Gibe.A, W32/Gibe-A, WORM_GIBE.A

Threat level : LOW

Process details :

                     BcTool.exe is dropped by Gibe Worm. It is an Internet worm uses Microsoft Outlook and its own SMTP engine to spread. The worm is 122880 bytes long and the e-mail attachment name will be "Q216309.exe". Gibe worm sends fakes email as it is an update coming from Microsoft.

Subject line: Internet Security Update
Attached file: q216309.exe
Message Body:

Microsoft Customer,

this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities, and is discussed in Microsoft Security Bulletin MS02-005. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run code on your computer.

Description of several well-know vulnerabilities:

- "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability. If a malicious user sends an affected HTML e-mail or hosts an affected e-mail on a Web site, and a user opens the e-mail or visits the Web site, Internet Explorer automatically runs the executable on the user's computer.

- A vulnerability that could allow an unauthorized user to learn the location of cached content on your computer. This could enable the unauthorized user to launch compiled HTML Help (.chm) files that contain shortcuts to executables, thereby enabling the unauthorized user to run the executables on your computer.

- A new variant of the "Frame Domain Verification" vulnerability could enable a malicious Web site operator to open two browser windows, one in the Web site's domain and the other on your local file system, and to pass information from your computer to the Web site.

- CLSID extension vulnerability. Attachments which end with a CLSID file extension do not show the actual full extension of the file when saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are simple, harmless files - such as JPG or WAV files - that do not need to be blocked.

System requirements:
Versions of Windows no earlier than Windows 95.

This update applies to:
Versions of Internet Explorer no earlier than 4.01
Versions of MS Outlook no earlier than 8.00
Versions of MS Outlook Express no earlier than 4.01

How to install
Run attached file q216309.exe

How to use
You don't need to do anything after installing this item.

For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below.
http://www.microsoft.com/windows/ie/
downloads/critical/default.asp
If you have some questions about this article contact us at rdquest12@microsoft.com

Thank you for using Microsoft products.

With friendly greetings,
MS Internet Security Center.
----------------------------------------
----------------------------------------
Microsoft is registered trademark of Microsoft Corporation.
Windows and Outlook are trademarks of Microsoft Corporation.

When executed, the worm displays the following message box.

If the user clicks "yes", the worm displays the following message box. If the user selects "No", the worm won't display any message box. But it will install in the background.

If the user tries to install second time, the worm displays the following message box.

Gibe worm drops several components in the system. It drops Q216309.exe, BcTool.exe, WinNetw.exe, GfxAcc.exe, 02_N803.dat in Windows directory and Vtnmsccd.dll in the Windows System directory.

The worm also creats creates the following registry keys 

 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "3DfxAcc" = "\%WinDir%\GfxAcc.exe"
 "LoadDBackUp" = "\%WinDir%\BcTool.exe"
[HKEY_LOCAL_MACHINE\Software\AVTech\Settings]
 "Installed" = "... by Begbie"

                     Finally, Gibe worm e-mails the infected messages using the addresses stored in 02_N803.dat. Gibe worm is also known as W32.Gibe.A@mm, W32/Gibe-A, WORM_GIBE.A.

How can I protect my system?

                   Solo has incorporated BcTool.exe in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this worm?

                   If you are already infected with BcTool.exe process, you can remove it from your computer using Solo Antivirus software. Solo antivirus can detect and remove W32.Gibe.A@mm safely. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VBS, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link