当您收到一封自称是微软安全补丁的邮件时，千万别被其假象所骗，别傻乎乎的真以为微软给您送安全补丁来了！其实，这是近日出现的一个新蠕虫病毒Gibe的“杰作”。该病毒采用Visual Basic语言编写而成，伪装成微软补丁，借以迷惑用户打开附件，从而感染机器并向地址簿中的所有人发送带毒邮件。

　　所幸的是，病毒本身不具什么危害性，而且它的带毒邮件到处是拼写错误，非常容易发现。

　　Gibe病毒是通过邮件进行传播的，其邮件主题为"Internet Security Update"，正文是假装来自微软的一封信，全文如下：

　　Microsoft Customer,

　　this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities, and is discussed in Microsoft Security Bulletin MS02-005. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run code on your computer.

　　Description of several well-know vulnerabilities:

　　- "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability. If a malicious user sends an affected HTML e-mail or hosts an affected e-mail on a Web site, and a user opens the e-mail or visits the Web site, Internet Explorer automatically runs the executable on the user‘s computer.

　　- A vulnerability that could allow an unauthorized user to learn the location of cached content on your computer. This could enable the unauthorized user to launch compiled HTML Help (.chm) files that contain shortcuts to executables, thereby enabling the unauthorized user to run the executables on your computer.

　　- A new variant of the "Frame Domain Verification" vulnerability could enable a malicious Web site operator to open two browser windows, one in the Web site‘s domain and the other on your local file system, and to pass information from your computer to the Web site.

　　- CLSID extension vulnerability. Attachments which end with a CLSID file extension do not show the actual full extension of the file when saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are simple, harmless files - such as JPG or WAV files - that do not need to be blocked.

　　[iduba_page]

　　System requirements: Versions of Windows no earlier than Windows 95.

　　This update applies to:

　　Versions of Internet Explorer no earlier than 4.01 Versions of MS Outlook no earlier than 8.00 Versions of MS Outlook Express no earlier than 4.01

　　How to install

　　Run attached file q216309.exe

　　How to use

　　You don‘t need to do anything after installing this item.

　　For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below. If you have some questions about this article contact us at rdquest12@microsoft.com

　　Thank you for using Microsoft products.

　　With friendly greetings, MS Internet Security Center.

　　Microsoft is registered trademark of Microsoft Corporation. Windows and Outlook are trademarks of Microsoft Corporation.

　　附件为q216309.exe(122,880字节)，看起来极像是微软的安全补丁。非Windows操作系统不会受到此病毒的影响，若Windows用户打开附件，病毒则会修改如下注册表：

　　HKLMSoftwareAVTechSettingsDefault Address = (默认地址)

　　HKLMSoftwareAVTechSettingsDefaultServer = (默认服务器)

　　HKLMSoftwareAVTechSettingsInstalled = ...by Begbie

　　HKLMSoftwareMicrosoftWindows CurrentVersionRun3dfx Acc = (gfxacc.exe的文件路径) HKLMSoftwareMicrosoftWindows CurrentVersionRunLoadDBackup = (bctool.exe的文件路径)

　　修改注册表后，病毒会安装一个后门木马，每次电脑重启时，都会自动激活，同时它还会在Windows目录下创建如下文件：

　　bctool.exe (32,768 字节) - 邮件发送组件

　　winnetw.exe (20,480 字节)-搜索邮件地址组件

　　q216309.exe (122,880 字节) - 病毒副本

　　vtnmsccd.dll (122,880 字节) - 病毒副本

　　 gfxacc.exe (20,480 字节) - 特洛伊木马组件

　　gfxacc.exe是一个特洛伊木马，可以让恶意用户任意进入受染机器 。使用了防火墙来监测系统的用户还会注意到端口12387出现异常，这都是染上Gibe病毒所致。

　　预防

　　Outlook 2002 及Outlook 2000的用户，若安装了最新补丁，则可万事平安。而没有升级到Outlook 2002或没安装补丁的用户尽快做好。总的来讲，不要打开附件，用最新的防