W32/Feebs.fam.M@mm

Alias/esJs/Ider.A.worm, JS_FEEBS.GEN, Worm.Win32.Feebs.iq
Release DateSep 26, 2006
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.323
Description

Visible Symptoms

Presence of the folder c:\Recycled

Detailed Analysis

  • This detection is for the Feebs Script malware.

  • The malware attempts to download files from various sites:
    • hoop.kazan.bz\god.txt
    poljop.freecoolsite.com\test.txt
    fr33.by.ru\ol.txt
    nolko.t35.com\god.c
    jmo31.by.ru\big.txt
    psixi.wol.bz\test.txt
    duuw.nm.ru\ol.txt
  • The malware creates a folder named c:\Recycled and drop a certain userinit.exe.
    • It also attempts to place a copy of userinit.exe into default folders indicated in the registry:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup\

  • The malware applies the following registry modifications
    • HKCU\Software\Microsoft\Internet Explorer\mal\
    @=randy_presuhn@bmc.com
    HKLM\SOFTWARE\"Microsoft\Active Setup\Installed Components\{CD5AC91B-AE7B-E83A-0C4C-E616075972F3}\Stubpath Stubpath=c:\Recycled\userinit.exe

  • The malware is highly polymorphic and is composed in both VBS and JS and often arrives as an ".hta"(HTML application).

  • Below is a screenshot of the malware upon execution:

    • Description Last Updated Date: Sep 28, 2006
    Reference: ID - 292641