Flaws in the W32/Gibe mass-mailing worm have prevented it from becoming anything like the Internet epidemics of Melissa and LoveBug. But the recent malicious code has introduced a new technique that could help future worms spread fast and wide, experts said Tuesday.
Gibe, which masquerades as a security update from Microsoft, is the first Internet worm to harvest e-mail addresses of potential victims from online directories, according to researchers at McAfee's Anti-Virus Emergency Response Team (AVERT).
The technique has helped Gibe, first identified in late February, to infect thousands of people in 39 countries, according to statistics kept by MessageLabs.
Like many garden-variety Internet worms, Gibe also attempts to propagate by automatically sending copies of itself to addresses in the victim's Microsoft Outlook address book.
However, testing by AVERT researchers has uncovered coding flaws in the worm that appear to prevent Gibe's Outlook-spreading component from working reliably.
Clever "social engineering" has played a big part in enabling Gibe to snare unwary computer users, experts said. The Trojan horse travels as an attachment named Q216309.EXE in a message forged to appear to come from Microsoft -- despite the fact that the big software company never sends updates by e-mail.
But Gibe's novel technique for scouting potential victims has captured the attention of virus researchers, despite the worm's low-risk rating.