JS/Feebs.fam@mm - Released Jan 04, 2006 - Last Updated Mar 13, 2007
|
Alias/esJS/Feebs.A-tr, JS/Feebs.fam@mm |
Detection Availability
|
Visible Symptoms- This virus may arrive as an attachment to an email message from an infected system - the attachment will have an .HTA extension, with a size of 4Kb
|
Detailed AnalysisThis detection is generalized to cover several variants of the Feebs virus family. The general characteristics are that the file arrives to a target system via email as an attachment. The attachment is commonly with a .HTA file extension. If the attachment is opened or run, it could potentiallly spread to others via email based on encrypted JavaScript command instructions.
Feebs implements a simple encryption scheme using the eval() and unescape() javascript functions.
It first declares an encoded string which contains the actual decryption algorithm. It is encoded with "escaped" HTML codes : all characters are replaced by their HTML counterpart, thus making the function unreadable for the user (it's a sequence of % and numeric codes).
This string is then provided as an argument the the escape() function which will translate these numeric codes to an algorithm, which is then added as a function through the eval() function.
Now the decryption javascript function is declared and defined, it is called later in the script and given an encrypted string containing the payload as an argument.
|
Recommended Action
FortiGate systems:
- check the main screen using the web interface to ensure the latest AV/NIDS
database has been downloaded and installed -- if required, enable the "Allow
Push Update" option
FortiClient systems:
- Quarantine/Delete infected files detected
|
