Content

W32/Feebs.gen@MM

Type
Virus
SubType
E-mail worm
Discovery Date
01/12/2006
Length
varies
Minimum DAT
4673 (01/12/2006)
Updated DAT
4679 (01/20/2006)
Minimum Engine
5.1.00
Description Added
01/12/2006
Description Modified
01/23/2006 8:58 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for a new variant downloaded by the JS/Feebs.gen@MM .

This worm bears the following characteristics:

  • it is a polymorphic worm 
  • it configures  itself to load at startup
  • it creates copies of itself in folders containing the string shar (to propogate via P2P sharing programs such as Kazaa, Bearshare, Edonkey, etc.
  • it mails itself by creating messages that are constructed using the worm's SMTP engine, and sent to email addresses harvested from the victim machine
  • injects a ZIP attachment, including a copy of the worm, into outgoing SMTP sessions.
  • opens a backdoor port (80, 40729)

This worm downloads the Win32 executable (W32/Feebs.gen@MM) by the user executing the polymorphic script detected as JS/Feebs.gen@MM.

Mail Propagation - Massmailing  
The worm constructs outgoing messages using its own SMTP engine. Target email addresses are harvested from the victim machine

The From: header of outgoing messages is spoofed (combining random strings together with domains of email addresses harvested from the victim machine).

The message body:
-----
You have received Secure Mail from HotMail.com user.
This message is addressed personally for you.
To decrypt your message use the following details:

ID: 22118
Password: amhqsqhnc

Keep your password in a safe place and under no circumstances give it to ANYONE.

Secure Mail and instruction is attached.

Thank you,
Protected Message System,
HotMail.com
-----

The virus sends HTML files with a .HTA extension inside a ZIP file.

Mail Propagation-Attachment Injection
The worm monitors the system for outgoing SMTP connections (targeting TCP25) and injects the ZIP file, which contains a copy of the worm, into the ongoing transmission.
The worm does not rely on any specific email client. User sending out email from an infected machine, won't notice than their mail had an additional attachment.
Senders and receipients addresses are not spoofed in this case.

Remote Access Component
 The worm contains a remote access component, similar to that observed for previous variants. The worm listens on TCP ports 80 and 40729 to allow a remote attacker to issue instructions to the worm (such as FTP commands).

Additionally, the worm attempts to download a binary from several static remote server addresses:

  • http://[removed]/33/9x2.jpg 8.exe
  • http://[removed]/manual/faq/nt.exe

At the time of writing, the binaries from these sites were not available.

Symptoms

  • Existence of the files and Registry keys described above
  • TCP ports 80 and 40729 opened on infected machine

    • Method of Infection

    This virus arrives as an email attachment or could get downloaded with P2P software. Executing the file infects the local system which is then used to propagate the virus further.

    Removal

    All Users:
    Use current engine and DAT files for detection. Delete any file which contains this detection.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Aliases

    • JS_FEEBS.A (Trend)
    • W32.Feebs.B@mm (Symantec)
    • W32/Kmax.gen@MM

    Characteristics

    Characteristics -

    This detection is for a new variant downloaded by the JS/Feebs.gen@MM .

    This worm bears the following characteristics:

    • it is a polymorphic worm 
    • it configures  itself to load at startup
    • it creates copies of itself in folders containing the string shar (to propogate via P2P sharing programs such as Kazaa, Bearshare, Edonkey, etc.
    • it mails itself by creating messages that are constructed using the worm's SMTP engine, and sent to email addresses harvested from the victim machine
    • injects a ZIP attachment, including a copy of the worm, into outgoing SMTP sessions.
    • opens a backdoor port (80, 40729)

    This worm downloads the Win32 executable (W32/Feebs.gen@MM) by the user executing the polymorphic script detected as JS/Feebs.gen@MM.

    Mail Propagation - Massmailing  
    The worm constructs outgoing messages using its own SMTP engine. Target email addresses are harvested from the victim machine

    The From: header of outgoing messages is spoofed (combining random strings together with domains of email addresses harvested from the victim machine).

    The message body:
    -----
    You have received Secure Mail from HotMail.com user.
    This message is addressed personally for you.
    To decrypt your message use the following details:

    ID: 22118
    Password: amhqsqhnc

    Keep your password in a safe place and under no circumstances give it to ANYONE.

    Secure Mail and instruction is attached.

    Thank you,
    Protected Message System,
    HotMail.com
    -----

    The virus sends HTML files with a .HTA extension inside a ZIP file.

    Mail Propagation-Attachment Injection
    The worm monitors the system for outgoing SMTP connections (targeting TCP25) and injects the ZIP file, which contains a copy of the worm, into the ongoing transmission.
    The worm does not rely on any specific email client. User sending out email from an infected machine, won't notice than their mail had an additional attachment.
    Senders and receipients addresses are not spoofed in this case.

    Remote Access Component
         The worm contains a remote access component, similar to that observed for previous variants. The worm listens on TCP ports 80 and 40729 to allow a remote attacker to issue instructions to the worm (such as FTP commands).

    Additionally, the worm attempts to download a binary from several static remote server addresses:

    • http://[removed]/33/9x2.jpg 8.exe
    • http://[removed]/manual/faq/nt.exe

    At the time of writing, the binaries from these sites were not available.

    Symptoms

    Symptoms -

  • Existence of the files and Registry keys described above
  • TCP ports 80 and 40729 opened on infected machine

    • Method of Infection

    Method of Infection -

    This virus arrives as an email attachment or could get downloaded with P2P software. Executing the file infects the local system which is then used to propagate the virus further.

    Removal -

    Removal -

    All Users:
    Use current engine and DAT files for detection. Delete any file which contains this detection.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A