W32/Feebs.CB!worm

• The ms**.exe file component of the worm also drops a hidden file into the root folder. It is Upack compressed, has a one alphabetic character for its name with no filename extension. If by chance there is an existing file in the root folder with the same name, the worm will try the next letter in the alphabet until it gets one that is not used (Example: a,b,c, etc.). This one-letter-named file is then copied into the System32 folder as a hidden file named ms**32.dll, and then deleted afterwards.If the worm fails to copy it into the System32 folder, it terminates prematurely and leaves the hidden one-letter-named file in the root folder.

• The worm injects its ms**32.dll component into Explorer.exe and several other processes currently running in the system. This ensures that it stays resident in memory as much as possible.

• The DLL component of the worm also has rootkit features that it uses to implement stealth techniques. By hooking system functions, the worm hides files and registry changes it made in the system. Due to this feature, Windows Explorer, some file management tools, registry tools or even some rootkit detectors may fail to see them.

• If the worm detects the presence of a debugger, it terminates prematurely. In its attempt to avoid detection, it also tries to delete the following autorun registry keys belonging to known security applications:
  • avp6
  • avz
  • firesvc
  • hackereliminator
  • keylog
  • kpf4gui
  • kpf4ss
  • mcafeefire
  • nod32krn
  • outpost
  • rapapp
  • rootkitrevealer

(Note: The * character stands for a random alphabetical character)

• key: HKEY_LOCAL_MACHINE\Software\Microsoft\MS**\dat
• key: HKEY_LOCAL_MACHINE\Software\Microsoft\MS**\*dat

• Via Email
  • Using its own SMTP engine, this worm can propagate via email by forging emails and sending them to addresses it collected from the system. The worm may identify itself to the SMTP receiver using a bogus host name with the format shown in the beginning of the list below, or it may pose as one of the five popular mail domains found in the rest of the list below:
    • *********.com - where * stands for a random alphabetic character (Example: fbpwrhtla.com, lmvkahwaq.com, etc.)
    • aol.com
    • gmail.com
    • hotmail.com
    • msn.com
    • yahoo.com

  • It collects recipient email addresses from the infected user's files, particularly those with filename extensions like HLP, TXT, MDB, DBX, WAB, XLS, PST, HTT, VBS, DOC, EML, RTF, HTM, XML, PHP, ASP, etc.

  • As for the sender email addresses, it uses a combination of any of the following names and domains:

    • n#####@ <any of the following domains > - where # stands for a random number; (Examples: n36580@aol.com, n21321@msn.com, etc.)

      • aol.com
      • gmail.com
      • hotmail.com
      • msn.com
      • yahoo.com

  • The worm generates a HTML application (HTA) file, puts it inside a ZIP archive, attaches it to an email and sends it out to unsuspecting users. It can either carry the executable binary component of the worm and drop it into the system, or it can download an updated version of the worm from somewhere in the internet.

  • The email sent out by this worm contains the following details:
    • Subject: - This is composed of two to four parts taken from any of the following:

      • First Part:
        • Encrypted
        • Protected
        • Secure

      • Second Part:
        • E-mail
        • Mail
        • Message

      • Third Part:
        • System
        • Service
        • from <any of the following> user.
        • Aol.com
        • Gmail.com
        • Hotmail.com
        • Msn.com
        • Yahoo.com

      • Fourth Part:
        • (Aol.com)
        • (Gmail.com)
        • (Hotmail.com)
        • (Msn.com)
        • (Yahoo.com)

    • Body - This follows the following format:

      • ID: < random 5 numerical characters >
        Password: < random 9 alphabetical characters >
        
        Message is attached.
        
        < any in the CLOSING 1 list below >
        < any in the CLOSING 2 list below >
        < any in the CLOSING 3 list below >
        

      • CLOSING 1:
        • Best Regards,
        • Sincerely,
        • Thank you,

      • CLOSING 2:

        • First Part:
          • Encrypted
          • Protected
          • Secure

        • Second Part:
          • E-mail
          • Mail
          • Message

        • Third Part:
          • System,
          • Service,

      • CLOSING 3:
        • AOL.com
        • Gmail.com
        • HotMail.com
        • MSN.com
        • Yahoo.com

    • Attachment: - It is a ZIP file containing a script file inside. The ZIP file uses any of the following names:
      • data.zip
      • mail.zip
      • message.zip
      • msg.zip

  • Below is a screenshot of a sample email sent out by this worm.

    

• Via Peer-to-Peer(P2P)
  • The worm searches for folders with names containing the root word "download", "incom", or "share" and drops around 12 ZIP archive files that contain a copy of the worm inside. It will drop these archives even if the parent folder is not created by a downloader application. If the folder contains subfolders inside, the worm will also drop the same 12 ZIP files into them. Note that since the worm employs rootkit techniques to hide these ZIP files, the user will not be able to see them with common file management applicaitons like Windows Explorer.

  • Below are the formats of the names used by the worm for the ZIP archives:

    (Note: The # character stands for a version number.)

    • 3dsmax_#_(3D_Studio_Max)_new!_full+crack.zip
    • ACDSee_#_new!_full+crack.zip
    • Adobe_Photoshop_#_(CS#) _new!_full+crack.zip
    • Adobe_Premiere_#_(#.0_pro)_new!_full+crack.zip
    • Ahead_Nero_#_new!_full+crack.zip
    • DivX_#.0_new!_full+crack.zip
    • ICQ_ _new!_full+crack.zip
    • Internet_Explorer_#_new!_full+crack.zip
    • Kazaa_#_new!_full+crack.zip
    • Longhorn_new!_full+crack.zip
    • Microsoft_Office_2006_new!_full+crack.zip
    • winamp_#_new!_full+crack.zip

  • The *.ZIP archives contain two files as follows:
    • webinstall.exe - This is a copy of the ms**.exe dropper component of the worm.
    • < ZIP filename without the new!_full+crack.zip part > serial.txt - (Example: winamp_7_serial.txt) This is a text file containing the text string "11111-11111-11111".

• This refers to the HTA script file inside the *.ZIP archives attached to the emails that the worm sends out during its mail propagation. This script file is polymorphic, written in Javascript, and will have a name composed of any of the words below followed by an HTA extension. (Example: Encrypted E-mail File.hta)

  • First Part:
    • Encrypted
    • Protected
    • Secure

  • Second Part:
    • E-mail
    • Mail
    • Message

  • Third Part:
    • File

• Once executed, it opens a window with a title chosen from any of the following:
  • AOL.com
  • Gmail.com
  • HotMail.com
  • MSN.com
  • Yahoo.com

• It downloads a file with a *.txt or *.c filename extension from a set of websites using any of the domains below. It saves this downloaded file into the C:\Recycled folder and names it "userinit.exe".
  • t35.com
  • wol.bz
  • nm.ru
  • 1gb.ru
  • zoo.by
  • by.ru
  • newmail.ru

• It creates the following registry entries to store information and autostart:
  • HKCU\Software\Microsoft\Internet Explorer\ < 3 random alphabetic characters >
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CD5AC91B-AE7B-E83A-0C4C-E616075972F3}: Stubpath = "C:\Recycled\userinit.exe"

• If it does not succeed in adding an autostart registry entry, it copies the downloaded file into the Startup folder whose path is found at the following registry entry:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup

• Then, to lower system security, it deletes the following startup registry values, which are associated with the services of some security applications:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services:
    • pcipim
    • pcIPPsC
    • RapDrv
    • FirePM
    • KmxFile