Helpful Information
 
 
Category: Antivirus Protection
Warning: Patch256.exe (Likely Virus)

I have received an e-mail with the attached file "patch256.exe". The e-mail claims to be from "MS Network Security Section" and appears to be from a spoofed e-mail address (gzgqvxmflv_632167@iPEIRCM.com). The text of the e-mail can be had here (http://www.simple-sam.com/patch256.htm).

I am unfamiliar with this particular virus/hoax. Can anyone confirm this is new?

I am without my Linux box, so I cannot do anything with this file. If anyone wants me to e-mail a copy of it to them, PM me with the e-mail address.

A few things that stand out about the text of the email.

A) Microsoft never mails out security advisories with attached patches.

B) Whenever Microsoft releases a patch, they provide a direct link to their site that contains specific details about the patch and what it fixes. This is missing.

C) Though much better than most, the grammar in this text is not entirely correct - almost always a dead give away.

Gonna PM Ctb for the file and will run it through the virus scanner.

I just got an email from my ISP support warning about a couple new viruses that are rumored to be released tomorrow 9/11

Maybe you are a beta? :)

As raklet said, MS will never send around an executable via email.

Raklet -

Sent you a forward of the whole e-mail. Note the Return-Path: in the headers appears to be a valid e-mail address at tijd.com

I've posted this to a MS Security Forum just in case it is new... but I'm hoping I'm wrong or tomorrow could be a veeerrryyyy bad day for me.

The file is a virus.

W32.Gibe.B@mm

Quick summary from Symantec with link to follow:

Wild: Low
Damage: Low
Distribution: High

Payload is large scale emailing

Displays a fake message claiming to be from Microsoft.

Copies itself to multiple system and registry locations.

Can spread through email, Kazaa, mIRC, and mapped network drives.

Can be removed through virus scan. Doesn't appear to need special removal tool.

Full Details:

http://securityresponse.symantec.com/avcenter/venc/data/w32.gibe.b@mm.html

Excellent work - thanks raklet!

I don't worry about recognized viruses because I rarely get a Windows virus in my e-mail, but I didn't recognize this one right away. Normally, that means it's new or it's distribution is on the rise. I guess I just got a false alarm on that one.

As for 9/11, I'd expect a new round of SoBig to take off tomorrow. The current version expired today.










privacy (GDPR)