Worm.Win32.Feebs.h

0 0

This worm spreads via the Internet as an attachment to infected messages, and via file-sharing networks.

It sends itself to email addresses harvested from the victim machine.

The worm itself is a PE EXE file approximately 55KB in size.

Installation

Once launched the worm copies itself to the Windows system directory under the following random names: "ms<two random letters>.exe" and "ms<two random letters>" e.g.

%System%\msof.exe
%System%\msrl

It also creates a file named "ms<two random letters>32.dll" in the Windows system directory, e.g.

%System%\mslv32.dll

This file has Hidden and System attributes assigned to it.

The worm creates the following system registry keys:

[HKLM\Software\Microsoft\ms<two random letters>\dat]
[HKLM\Software\Microsoft\ms<two random letters>\sdat]
[HKLM\Software\Microsoft\ms<two random letters>\fdat]
[HKLM\Software\Microsoft\ms<two random letters>\ldat]


[HKLM\Software\Classes\CLSID\<random CLSID>\InprocServer32]
 "@"="%System%\ms<two random letters>32.dll"

[HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ms<two random characters>32.dll" = "<random CLSID>"

Propagation via email

The worm sends itself to addresses harvested from the MS Outlook address book.

The worm establishes a direct connection to the recipient's SMTP server to send infected messages.

Infected messages Message subject:

The message subject is composed of words chosen from the following list:

• E-mail
• Encrypted
• Extended
• Html
• Mail
• Message
• Protected
• Secure
• Service
• System

Message body:

Subject: happy new year
ID: <random number>
Password: <random characters>

Best Regards, or Thank you,
<message subject>,
<sender's domain name>

Attachment name (chosen from the list below):

• data.zip
• mail.zip
• message.zip
• msg.zip

The archive contains a JavaScript component, which will download a copy of the worm from designated servers. The copy of the worm will be saved to C:\Recycled and launched for execution. If the file which has been downloaded can't be registered in the system registry to ensure that it is launched each time Windows is rebooted on the victim machine, then the infected file will be moved to the %Startup% directory.

The JavaScript component will also cause a fake Internet page to be displayed, which informs the user that there is no connection available.

If it detects them on the victim machine, the JavaScript component will also delete the following records from the system registry:

[HKLM\System\CurrentControlSet\Services]
"FirePM" 
"KmxFile" 
"pcipim" 
"pcIPPsC" 
"RapDrv"

Propagation via file-sharing networks

The worm creates copies of itself in all sub-directories which have the worm "Share" in their names. The files have names chosen from the list below:

• 3dsmax_9_(3D_Studio_Max)_new!_full crack.zip
• ACDSee_9_new!_full crack.zip
• Adobe_Photoshop_10_(CS3)_new!_full crack.zip
• Adobe_Premiere_9_(2.0_pro)_new!_full crack.zip
• Ahead_Nero_8_new!_full crack.zip
• DivX_7.0_new!_full crack.zip
• ICQ_2006_new!_full crack.zip
• Internet_Explorer_7_new!_full crack.zip
• Kazaa_4_new!_full crack.zip
• Longhorn_new!_full crack.zip
• Microsoft_Office_2006_new!_full crack.zip
• winamp_5.2_new!_full crack.zip

Payload

Worm.Win32.Feebs.h terminates processes connected to firewall and antivirus programs.