Visible Symptoms

Detailed Analysis

This threat has a file compression:

Network/Internet:

• It spreads through: mass-emailing
• Connects to Server: HTTP
• Other Payloads: Downloads updates

Files:

• Drop files: ".exe"

Installation to System:

• Drops the following files:
  It drops the file userinit.exe in the Recycle Bin.

More Info:

This threat tries to download the file my.txt from several servers :
gooty.by.ru
rpp.1gb.ru
dook.zoo.by
myphotokool.t35.com
hlppyhusu.newmail.ru

Once it's done, it drops the file userinit.exe which stops monitoring software to hide its activities. Then, it mass-mail itself to addresses grabbed from the user's contact list.

Feebs implements a simple encryption scheme using the eval() and unescape() javascript functions.

It first declares an encoded string which contains the actual decryption algorithm. It is encoded with "escaped" HTML codes : all characters are replaced by their HTML counterpart, thus making the function unreadable for the user (it's a sequence of % and numeric codes).

This string is then provided as an argument the the escape() function which will translate these numeric codes to an algorithm, which is then added as a function through the eval() function.

Now the decryption javascript function is declared and defined, it is called later in the script and given an encrypted string containing the payload as an argument.

Recommended Action

FortiGate systems:


• check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
  
  
  FortiClient systems:
  
  
• Quarantine/Delete infected files detected