JS.Feebs.Gen

SYMPTOMS:

See technical description.

TECHNICAL DESCRIPTION:

This is a polymorphic html javascript-encoded virus.
This virus spreads through e-mail as attachment and through P2P networks via shared folders.
It attempts to steal information, disable security products and delete registry keys. It uses its own smtp engine to spread.

There are 2 mainly types: a downloader (about 3 KBytes) that downloads an executable from a list of websites and the virus itself (about 80 KBytes) which contains a backdoor with rootkit capabilities.

Through e-mail, it arrives in an e-mail with a .ZIP attachment, that contains a .HTA or a .HTML file

The subject may be: (but not limited to):

Encrypted E-mail
Encrypted E-mail Service
Encrypted E-mail System
Encrypted Mail
Encrypted Mail Service
Encrypted Mail System
Encrypted Message
Encrypted Message Service
Encrypted Message System
Protected E-mail
Protected E-mail Service
Protected E-mail System
Protected Mail
Protected Mail Service
Protected Mail System
Protected Message
Protected Message Service
Protected Message System
Secure Mail
Secure Mail Service
Secure Mail System
Secure Message
Secure Message Service
Secure Message System

Secure E-mail Service (?????.com)
Secure E-mail System (?????.com)
Secure Mail Service (?????.com)
Secure Mail System (?????.com)
Protected Mail System (?????.com)
Protected Mail Service (?????.com)

Encrypted E-mail from ?????.com user.
Encrypted Mail from ?????.com user.
Encrypted Message from ?????.com user.
Protected E-mail from ?????.com user.
Protected Mail from ?????.com user.
Protected Message from ?????.com user.
Secure E-mail from ?????.com user.
Secure Mail from ?????.com user.
Secure Message from ???.com user.

where ????? may be a mail provider such as yahoo, gmail, msn, hotmail, aol.
The Subject is thus constructed using the keywords:
Encrypted, Protected, Secure, E-mail, Mail, Message, System, Service

The body may be (but not limited to):

ID: ???? (random digits)
Password: ????????? (9 random letters)

Message is attached.

or

id: ???? (random digits)
pass: ????????? (9 random letters)

Message is attached.

The attachment (.ZIP) may usually be (but not limited to):

msg.zip
msg?.zip (where ? may be a digit)
msg_?_.zip (where ? may be a digit)
data.zip
data?.zip (where ? may be a digit)
data_?_.zip (where ? may be a digit)
help.zip
help?.zip (where ? may be a digit)
help_?_.zip (where ? may be a digit)
mail.zip
mail?.zip (where ? may be a digit)
mail_?_.zip (where ? may be a digit)
message.zip
message?.zip (where ? may be a digit)
message_?_.zip (where ? may be a digit)

Inside the .ZIP attachment is a .HTA/.HTML file. This may be (but not limited to):

Encrypted E-mail File.hta
Encrypted Html File.hta
Encrypted Message File.hta
Encrypted_Mail_File.hta
Encrypted_Message_File.hta
Extended E-mail File.hta
Extended Html File.hta
Extended Mail File.hta
Extended Message File.hta
Extended_E_mail_File.hta
Html Help File.hta
Protected E-mail File.hta
Protected Html File.hta
Protected Mail File.hta
Protected Message File.hta
Protected_E_mail_File.hta
Protected_Html_File.hta
Protected_Mail_File.hta
Secure E-mail File.hta
Secure Html File.hta
Secure Mail File.hta
Secure Message File.hta
Secure_E_mail_File.hta
Secure_Html_File.hta
Secure_Message_File.hta

The filename is thus constructed from the keywords (with the .HTA extension):
Encrypted, Extended, Protected, Secure, E-mail, Html, Message, Mail, Help, File

Once the virus is run, attempts to terminate programs and services whose names contain:

armor2net
armorwall
avgcc
avp6
aws
bgnewsui
blackd
bullguard
ca
ccapp
ccevtmgr
ccproxy
ccsetmgr
dfw
dpf
fbtray
fireballdta
FirePM
firesvc
firewal
fsdfwd
fw
fwsrv
goldtach
hacker
hackereliminator
iamapp
iamserv
internet security
ipatrol
ipcserver
jammer
kaspe
kavpf
keylog
keypatrol
KmxAgent
KmxBiG
KmxCfg
KmxFile
KmxFw
KmxIds
KmxNdis
KmxSbx
kpf4gui
kpf4ss
leviathantrial
looknstop
mcafeefire
mpftray
netlimiter
npfc
npfmsg
npfsvice
npgui
opf
opfsvc
outpost
pavfnsvr
pccpfw
pcipim
pcIPPsC
persfw
rapapp
RapDrv
smc
sndsrvc
spfirewallsvc
spfw
sppfw
sspfwtry2
s-wall
symlcsvc
ton
tzpfw
umxtray
vipnet
vsmon
xeon
xfilter
zapro
zlclient
zonealarm

It also copies itself in folders whose names contain shar as (P2P propagation):

3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip

Attempts to delete FailureAction registry subkey of various services from

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\????\FailureActions]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\????\FailureActions]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\????\FailureActions]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\????\FailureActions]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\????\FailureActions]

where ???? may be the name of the service.

A complete analysis of this threat is under way. It will be available as soon as possible, please check back later.

Removal instructions:

Please let BitDefender disinfect your files.
 

ANALYZED BY:

Patrik Vicol ,virus researcher