W32/Feebs.fam!worm

• The ms**.exe file component of the worm also drops a hidden file into the root folder. It is Upack compressed, has a one alphabetic character for its name with no filename extension. If by chance there is an existing file in the root folder with the same name, the worm will try the next letter in the alphabet until it gets one that is not used (Example: a,b,c, etc.). This one-letter-named file is then copied into the System32 folder as a hidden file named ms**32.dll, and then deleted afterwards. If the worm fails to copy it into the System32 folder, it terminates prematurely and leaves the hidden one-letter-named file in the root folder.

• The worm injects its ms**32.dll component into Explorer.exe and several other processes currently running in the system. This ensures that it stays resident in memory as much as possible.

• The DLL component of the worm also has rootkit features that it uses to implement stealth techniques. By hooking system functions, the worm hides files and registry changes it made in the system. Due to this feature, Windows Explorer, some file management tools, registry tools or even some rootkit detectors may fail to see them.

• If the worm detects the presence of a debugger, it terminates prematurely. In its attempt to avoid detection, it also tries to delete the following autorun registry keys belonging to known security applications:
  • avp6
  • avz
  • firesvc
  • hackereliminator
  • keylog
  • kpf4gui
  • kpf4ss
  • mcafeefire
  • nod32krn
  • outpost
  • rapapp
  • rootkitrevealer

(Note: The * character stands for a random alphabetical character)

• key: HKEY_LOCAL_MACHINE\Software\Microsoft\MS**\dat
• key: HKEY_LOCAL_MACHINE\Software\Microsoft\MS**\*dat

• Via Email
  • Using its own SMTP engine, this worm can propagate via email. The worm identifies itself to the SMTP receiver using a host name with the following format:
    • **.com - where * stands for a random alphabetic character (Example: bw.com, fw.com,hq.com, etc.)

  • It collects email addresses from files with HLP, TXT, MDB, DBX files it finds in the infected system and sends them emails.

  • As for the sender email addresses, it uses any of the domains listed above and combines them with any of the following names, or it may generate a name composed of random alphabetic characters. Sometimes it may combine the names with a 4-digit numbered year ranging from 2000 to the current system year.
    • adam
    • alex
    • alice
    • alley
    • andrew
    • angel
    • anna
    • baby
    • bill
    • bob
    • brenda
    • brent
    • brian
    • cindy
    • claudia
    • dan
    • dave
    • david
    • debby
    • fred
    • george
    • helen
    • honey
    • jack
    • james
    • jane
    • jerry
    • jim
    • jimmy
    • joe
    • john
    • jose
    • julie
    • kevin
    • leo
    • linda
    • maria
    • mary
    • matt
    • melissa
    • mia
    • michael
    • mike
    • milla
    • neo
    • nikky
    • pamela
    • peter
    • pussy
    • ray
    • robert
    • sam
    • serg
    • sexy
    • smith
    • stan
    • steve
    • sunny
    • sweety
    • tanya
    • ted
    • tom
    • trinity

  • The worm generates a HTML application (HTA) file, puts it inside a ZIP archive, attaches it to an email and sends it out to unsuspecting users. It can either carry the executable binary component of the worm and drop it into the system, or it can download an updated version of the worm from somewhere in the internet.

  • The email sent out by this worm contains the following details:
    • Subject: - This can be any of the following:
      • Hi
      • Hello

    • Body - This follows the format below and sometimes some of the words in the message body are intentionally misspelled. It is possibly a means for the worm to avoid antispammers, antivirus, or security related applications that rely on specific email details for detection. As for the name used in the body, they can be any of the ones in the list above that is used for the email addresses:

      • Hi <random name> .
        Here that page which you asked to send. password: random 8-digit number
        <random closing remarks>,
        <random name>
        _________
        http://nbhf.nm.ru - Profit 1% daily
        
        

    • Attachment: - It is a ZIP file containing a HTA file inside. The HTA file will have a name composed of random alphabetical characters, while the ZIP file uses any of the following names:
      • page.zip
      • data.zip
      • message.zip
      • document.zip
      • msg.zip

    • Closing Remarks: - This can be any of the following:
      • Bye
      • Sincerely
      • Best Regards

• Via Peer-to-Peer(P2P)
  • The worm searches for folders with names containing the root word "download" or "share" and drops around 12 ZIP archive files that contain a copy of the worm inside. It will drop these archives even if the parent folder is not created by a downloader application. If the folder contains subfolders inside, the worm will also drop the same 12 ZIP files into them. Note that since the worm employs rootkit techniques to hide these ZIP files, the user will not be able to see them with common file management applications like Windows Explorer.

  • Below are the formats of the names used by the worm for the ZIP archives:

    (Note: The # character stands for a version number.)

    • 3dsmax_#_(3D_Studio_Max)_new!_full+crack.zip
    • ACDSee_#_new!_full+crack.zip
    • Adobe_Photoshop_#_(CS#) _new!_full+crack.zip
    • Adobe_Premiere_#_(#.0_pro)_new!_full+crack.zip
    • Ahead_Nero_#_new!_full+crack.zip
    • DivX_#.0_new!_full+crack.zip
    • ICQ_ <some year between 2000 to current year> _new!_full+crack.zip
    • Internet_Explorer_#_new!_full+crack.zip
    • Kazaa_#_new!_full+crack.zip
    • Microsoft_Office_2006_new!_full+crack.zip
    • Vista_Final_new!_full+crack.zip
    • winamp_#_new!_full+crack.zip

  • The *.ZIP archives contain two files as follows:
    • webinstall.exe - This is a copy of the ms**.exe dropper component of the worm.
    • < ZIP filename without the new!_full+crack.zip part > serial.txt - (Example: winamp_7_serial.txt) This is a text file containing the text string "11111-11111-11111".

• This refers to the HTA script file inside the *.ZIP archives attached to the emails that the worm sends out during its mail propagation. This script file is polymorphic and is written in Javascript. Once executed, it displays a fake message and downloads a file with a *.txt or *.c filename extension from a set of websites using any of the domains below. It saves this downloaded file into the C:\Recycled folder and names it "userinit.exe".
  • t35.com
  • wol.bz
  • nm.ru
  • 1gb.ru
  • zoo.by
  • by.ru
  • newmail.ru

• It creates the following registry entries to store information and autostart:
  • HKCU\Software\Microsoft\Internet Explorer\ < 3 random alphabetic characters >
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CD5AC91B-AE7B-E83A-0C4C-E616075972F3}: Stubpath = "C:\Recycled\userinit.exe"

• If it does not succeed in adding an autostart registry entry, it copies the downloaded file into the Startup folder whose path is found at the following registry entry:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup

• Then, to lower system security, it deletes the following startup registry values, which are associated with the services of some security applications:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services:
    • pcipim
    • pcIPPsC
    • RapDrv
    • FirePM
    • KmxFile