Visible Symptoms.Detailed Analysis JS/Feebs.BC!mm - 06-04-04
General Info:
This threat has a file compression:
Network/Internet:
- It spreads through: mass-emailing
More Info:
Feebs implements a simple encryption scheme using the eval() and unescape() javascript functions.
It first declares an encoded string which contains the actual decryption algorithm. It is encoded with "escaped" HTML codes : all characters are replaced by their HTML counterpart, thus making the function unreadable for the user (it's a sequence of % and numeric codes).
This string is then provided as an argument the the escape() function which will translate these numeric codes to an algorithm, which is then added as a function through the eval() function.
Now the decryption javascript function is declared and defined, it is called later in the script and given an encrypted string containing the payload as an argument.
|