W32/Feebs.AJ!worm

Alias/es

W32/Feebs.AJ!wm

Release Date

May 12, 2006

Detection Availability

Current Antivirus Definition Database Version: 12.338

Description

Visible Symptoms

It drops files in the System32 folder of Windows that have the following name formats (Note: * stands for a random alphabetical character):

ms**.exe - This is a copy of the dropper component of the worm. (Example: msyf.exe)
ms** - This is another copy of the dropper component and it does not use a filename extension. (Example: mssz)

Possible termination of the firewall or other security applications, including antivirus monitors.

Detailed Analysis

Stealth Features

The ms**.exe file component of the worm also drops a hidden file into the root folder. It is Upack compressed, has a one alphabetic character for its name with no filename extension. If by chance there is an existing file in the root folder with the same name, the worm will try the next letter in the alphabet until it gets one that is not used (Example: a,b,c, etc.). This one-letter-named file is then copied into the System32 folder as a hidden file named ms**32.dll, and then deleted afterwards.If the worm fails to copy it into the System32 folder, it terminates prematurely and leaves the hidden one-letter-named file in the root folder.
The worm injects its ms**32.dll component into Explorer.exe and several other processes currently running in the system. This ensures that it stays resident in memory as much as possible.
The DLL component of the worm also has rootkit features that it uses to implement stealth techniques. By hooking system functions, the worm hides files and registry changes it made in the system. Due to this feature, Windows Explorer, some file management tools, registry tools or even some rootkit detectors may fail to see them.
If the worm detects the presence of a debugger, it terminates prematurely. In its attempt to avoid detection, it also tries to delete the following autorun registry keys belonging to known security applications:
- avp6
- avz
- firesvc
- hackereliminator
- keylog
- kpf4gui
- kpf4ss
- mcafeefire
- nod32krn
- outpost
- rapapp
- rootkitrevealer

Autostart Methods: It creates the following registry entries as means for the worm to run as a service, and to autostart. If the worm fails to add these autostart registry entries, it may copy itself into the Startup folder as "userinit.exe" and then delete itself afterwards.

(Note: The * character stands for a random alphabetical character)

key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

value: ms**32.dll
data: "<Random CLSID>"

key: HKEY_CLASSES_ROOT\CLSID\<Random CLSID>\InprocServer32

value: (Default)
data: "<%system32%>\ms**32.dll"

Additional Registry Entries: It also creates entries with the following formats to store information such as email addresses it uses to propagate via email, and paths where it drops ZIP files to propagate via P2P:

(Note: The * character stands for a random alphabetical character)

key: HKEY_LOCAL_MACHINE\Software\Microsoft\MS**\dat
key: HKEY_LOCAL_MACHINE\Software\Microsoft\MS**\*dat

Backdoor Capabilities: The Feebs worm can also open a random port in the compromised system or connect to ICQ and AIM to send/receive information to/from the attacker.

Propagation Methods: This worm typically arrives in a system as an email attachment or a ZIP file downloaded via P2P.

Via Email
- Using its own SMTP engine, this worm can propagate via email by forging emails and sending them to addresses it collected from the system. The worm identifies itself to the SMTP receiver using a bogus host name with the following format:
  - **.com - where * stands for a random alphabetic character (Example: bw.com, fw.com,hq.com, etc.)
- It collects recipient email addresses from the infected user's files, particularly those with filename extensions like HLP, TXT, MDB, DBX, WAB, XLS, PST, HTT, VBS, DOC, EML, RTF, HTM, XML, PHP, ASP, etc.
- As for the sender email addresses, it uses a combination of any of the following names and domains or it may generate a name composed of three random alphabetic characters. Sometimes it may combine the names with a 4-digit numbered year ranging from 2000 to the current system year. (Examples: adam2003@msn.com, xzj2002@yahoo.com, etc.)
  - List of Names:
    - adam
    - alex
    - alice
    - alley
    - andrew
    - angel
    - anna
    - baby
    - bill
    - bob
    - brenda
    - brent
    - brian
    - cindy
    - claudia
    - dan
    - dave
    - david
    - debby
    - fred
    - george
    - helen
    - honey
    - jack
    - james
    - jane
    - jerry
    - jim
    - jimmy
    - joe
    - john
    - jose
    - julie
    - kevin
    - leo
    - linda
    - maria
    - mary
    - matt
    - melissa
    - mia
    - michael
    - mike
    - milla
    - neo
    - nikky
    - pamela
    - peter
    - pussy
    - ray
    - robert
    - sam
    - serg
    - sexy
    - smith
    - stan
    - steve
    - sunny
    - sweety
    - tanya
    - ted
    - tom
    - trinity
  - List of Domains:
    - aol.com
    - gmail.com
    - hotmail.com
    - msn.com
    - yahoo.com
- The worm generates a HTML application (HTA) file, puts it inside a ZIP archive, attaches it to an email and sends it out to unsuspecting users. It can either carry the executable binary component of the worm and drop it into the system, or it can download an updated version of the worm from somewhere in the internet.
- The email sent out by this worm contains the following details:
  - Subject: - This can be any of the following:
    - Hi
    - Hello
  - Body - This follows the format below and sometimes some of the words in the message body are intentionally misspelled. It is possibly a means for the worm to avoid antispammers, antivirus, or security related applications that rely on specific email details for detection. As for the name used in the body, they can be any of the ones in the list above that is used for the sender email addresses, but with the first letter in uppercase:
    - Hi <random name> .
      Here that page which you asked to send. password: <random 7-8 digits alphanumerical charactersr>
      <random closing remarks>,
      <random name>
      _________
      http://nbhf.nm.ru - Profit 1% daily
  - Attachment: - It is a ZIP file containing a script file inside. The script file will have a name composed of random alphabetical characters followed by an HTA extension. On the other hand, the ZIP file uses any of the following names (the first letter can either be in lowercase or uppercase):
    - Data.zip
    - Document.zip
    - Html.zip
    - Information.zip
    - Mail.zip
    - Message.zip
    - Msg.zip
    - Page.zip
    - Text.zip
  - Closing Remarks: - This can be any of the following:
    - Best Regards
    - Bye
    - Sincerely
- Below is a screenshot of a sample email sent out by this worm.
Via Peer-to-Peer(P2P)
- The worm searches for folders with names containing the root word "download", "incom", or "share" and drops around 12 ZIP archive files that contain a copy of the worm inside. It will drop these archives even if the parent folder is not created by a downloader application. If the folder contains subfolders inside, the worm will also drop the same 12 ZIP files into them. Note that since the worm employs rootkit techniques to hide these ZIP files, the user will not be able to see them with common file management applicaitons like Windows Explorer.
- Below are the formats of the names used by the worm for the ZIP archives:
  (Note: The # character stands for a version number.)
  - 3dsmax_#_(3D_Studio_Max)_new!_full+crack.zip
  - ACDSee_#_new!_full+crack.zip
  - Adobe_Photoshop_#_(CS#) _new!_full+crack.zip
  - Adobe_Premiere_#_(#.0_pro)_new!_full+crack.zip
  - Ahead_Nero_#_new!_full+crack.zip
  - DivX_#.0_new!_full+crack.zip
  - ICQ_ <some year between 2000 to current year> _new!_full+crack.zip
  - Internet_Explorer_#_new!_full+crack.zip
  - Kazaa_#_new!_full+crack.zip
  - Microsoft_Office_2006_new!_full+crack.zip
  - Vista_Final_new!_full+crack.zip
  - winamp_#_new!_full+crack.zip
- The *.ZIP archives contain two files as follows:
  - webinstall.exe - This is a copy of the ms**.exe dropper component of the worm.
  - < ZIP filename without the new!_full+crack.zip part > serial.txt - (Example: winamp_7_serial.txt) This is a text file containing the text string "11111-11111-11111".

Javascript Component

This refers to the HTA script file inside the *.ZIP archives attached to the emails that the worm sends out during its mail propagation. This script file is polymorphic and is written in Javascript. Once executed, it opens a window with a title composed of 6-9 random alphabetical characters. Then, it downloads a file with a *.txt or *.c filename extension from a set of websites using any of the domains below. It saves this downloaded file into the C:\Recycled folder and names it "userinit.exe".
- t35.com
- wol.bz
- nm.ru
- 1gb.ru
- zoo.by
- by.ru
- newmail.ru
It creates the following registry entries to store information and autostart:
- HKCU\Software\Microsoft\Internet Explorer\ < 3 random alphabetic characters >
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CD5AC91B-AE7B-E83A-0C4C-E616075972F3}: Stubpath = "C:\Recycled\userinit.exe"
If it does not succeed in adding an autostart registry entry, it copies the downloaded file into the Startup folder whose path is found at the following registry entry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup
Then, to lower system security, it deletes the following startup registry values, which are associated with the services of some security applications:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services:
  - pcipim
  - pcIPPsC
  - RapDrv
  - FirePM
  - KmxFile

Description Last Updated Date: Mar 12, 2007
Reference: ID - 148962