W32/Feebs.fam.M@mm - Released Sep 26, 2006 - Last Updated Sep 28, 2006
|
Alias/esJs/Ider.A.worm, JS_FEEBS.GEN, Worm.Win32.Feebs.iq |
Visible SymptomsPresence of the folder c:\Recycled |
Detailed AnalysisThis detection is for the Feebs Script malware.
The malware attempts to download files from various sites:
hoop.kazan.bz\god.txt
poljop.freecoolsite.com\test.txt
fr33.by.ru\ol.txt
nolko.t35.com\god.c
jmo31.by.ru\big.txt
psixi.wol.bz\test.txt
duuw.nm.ru\ol.txt
The malware creates a folder named c:\Recycled and drop a certain userinit.exe.
It also attempts to place a copy of userinit.exe into default folders indicated in the registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup\
The malware applies the following registry modifications
HKCU\Software\Microsoft\Internet Explorer\mal\
@=randy_presuhn@bmc.com
HKLM\SOFTWARE\"Microsoft\Active Setup\Installed Components\{CD5AC91B-AE7B-E83A-0C4C-E616075972F3}\Stubpath
Stubpath=c:\Recycled\userinit.exe
The malware is highly polymorphic and is composed in both VBS and JS and often arrives as an ".hta"(HTML application).
Below is a screenshot of the malware upon execution:
 |
Recommended Action
FortiGate systems:
- check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded
and installed -- if required, enable the "
Allow Push Update" option
FortiClient systems:
- Quarantine/Delete infected files detected and replace
infected files with clean backup copies
|
