Phony email from Microsoft is a Worm

There is an email making the rounds which appears to be from
“Microsoft Corporation Security Center” with a subject line of
“Internet Security Update”.

The email has an attachment which the email describes as being
the “1 Mar 2002 Cumulative Patch” for IE.  The attached file is
typically named “Q216309.exe”.

There is no such patch from Microsoft and furthermore,
Microsoft never emails its patches- they are posted to Microsoft’s
web pages.

The bogus email is actually the GIBE email worm.  The GIBE worm is
written in Visual Basic, and, if run, appears to be a valid install
of a patch from Microsoft.  GIBE, however, will email itself to
everyone in your address book and install a backdoor component on
your system which allows the virus writer to access your system
remotely.

1. Do not run the attached file
2. Delete the email

Because Windows/ME backs up system files, this virus may well be
backed up along with other system files and your antivirus software
will be unable to remove the virus unless you do the following:

1. Right click My Computer on the Desktop, and choose Properties.
2. Click the Performance Tab.
3. Click the File System button.
4. Click the Troubleshooting Tab.
5. Put a check mark next to “Disable System Restore”.
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a complete virus scan to delete all infected files, or browse
the file’s located in the C:\_Restore folder and remove the files.
12. After removing the virus files, restart the computer normally.
13. Re-enable the Restore Utility by doing steps 1-9 and on step 5
remove the check mark next to “Disable System Restore”.

If you need to manually remove the virus for some reason, you will
need to boot to pure DOS and delete the following files from your
Windows folder:

Q216309.exe - a copy of the file dropper
BcTool.exe - the mass-mailing component
WinNetw.exe - e-mail address searching component
GfxAcc.exe - backdoor component
Vtnmsccd.dll - a copy of a dropper
MSWinsck.ocx - standard Winsock library

The easiest way to boot to pure DOS would be to use a DOS boot
diskette.  Please note, that there are also registry entries that
the virus created.  If you are familiar with the REGEDIT tool and
confident in your ability to use it correctly, first backup your
registry and then perform the following steps:

1. Click the Start button, then “Run”
2. In the Run dialog box, type “regedit” and click OK.
3. In the Registry Editor, navigate to the key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the following values:

LoadDBackUp C:\Windows\BcTool.exe
3Dfx Acc C:\Windows\GFXACC.exe

5. Next, navigate to the following key and delete it

HKEY_LOCAL_MACHINE\Software\AVTech

6. Close the Registry Editor and reboot your system

Related posts:

1. XP Antispyware 2009 Manual Removal Instructions
2. How to remove RavMonE virus
3. Registry errors in computer
4. Hackers often lie to get you to open the email attachment
5. Fixing registry errors
6. Yabe Variant Arrives In Spammed Email

Related posts brought to you by Yet Another Related Posts Plugin.