|
Sunday, 15 January 2006 |
W32.Feebs.E@mm is a mass-mailing worm that also spreads through file-sharing networks and lowers security settings on the compromised computer.
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Damage
Payload Trigger: n/a
Payload: n/a
Large scale e-mailing: Sends a copy of itself to email addresses gathered from the compromised computer.
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: Sends confidential information to a remote attacker.
Compromises security settings: Modifies firewall settings.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 80.
Shared drives: n/a
Target of infection: n/a
The worm arrives as an attachment with a .HTA extension. When the .HTA file is viewed, a malicious JavaScript performs the following actions:
Downloads a base-64 encoded file from one or more of the following locations:
[http://]qnx.1gb.ru/[REMOVED]/d.php
[http://]ab.t35.com/[REMOVED]/d.c
[http://]hzs.nm.ru/[REMOVED]/d.c
[http://]users.cjb.net/[REMOVED]/xup/d.txt
[http://]zto.h16.ru/[REMOVED]/m.txt
Extracts a Windows executable file from the base-64 encoded file and saves it as C:
ecycleduserinit.exe.
Once executed, the worm performs the following actions:
Adds the value:
"Stubpath" = "C:Recycleduserinit.exe"
to the following registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{CD5AC91B-AE7B-E83A-0C4C-E616075972F3}
Adds the value:
"mal" = "[EMAIL ADDRESS OF RECIPIENT]"
to the following registry subkey:
HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
Adds the value:
"(default)" = "%System[PATH TO DLL WORM COMPONENT]"
to the following registry subkey:
HKEY_CLASSES_ROOTCLSID{[RANDOM CLSID]}InprocServer32
so that it runs every time Windows starts.
Adds the value:
"[FILE NAME OF DLL WORM COMPONENT]" = "{[RANDOM CLSID]}"
to the following registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
ShellServiceObjectDelayLoad
so that it runs every time Windows starts.
Sends emails to all addresses found on the compromised computer. The email has the following characteristics:
From:
The from address is a combination of one of the following names with one of the following domain names:
Names:
protect
secur
security
securmail
Domains:
@hotmail.com
@gmail.com
@aol.com
@msn.com
@yahoo.com
Subject:
One of the following:
happy new year
[STRING 1] [STRING 2] [STRING 3]
Where [STRING 1] is one of the following:
Secure
Protected
Encrypted
Extended
[STRING 2] is one of the following:
Mail
E-Mail
Message
Html
[STRING 3] is one of the following:
[BLANK]
System
Service
Service ([DOMAIN])
from [DOMAIN] user.
[STRING 4] is one of the following:
Thank you
Sincerely
Best Regards
Note: The subject could look like one of the following:
Protected Message from Gmail.com user.
Secure Mail Service (HotMail.com)
Encrypted E-mail from Yahoo.com user.
Message:
You have received [STRING 1] [STRING 2] from [DOMAIN] user.
This message is addressed personally for you.
To decrypt your message use the following details:
ID: [RANDOM NUMBERS]
Password: [RANDOM LETTERS]
Keep your password in a safe place and under no circumstances give it
to ANYONE.
[STRING 1] [STRING 2] and instruction is attached.
[STRING 4]
[STRING 1] [STRING 2] [STRING 3],
[DOMAIN]
Note:
The message could look like the following:
You have received Encrypted Message from MSN.com user.
This message is addressed personally for you.
To decrypt your message use the following details:
ID: 44321
Password: mxsjstjgd
Keep your password in a safe place and under no circumstances give it
to ANYONE.
Encrypted Message and instruction is attached.
Best Regards,
Encrypted E-mail Service,
MSN.com
Attachment :
One of the following:
msg.zip
message.zip
data.zip
mail.zip
Note: The attachment contains the worm as an .HTA file with the following name:
[STRING 1] [STRING 2] File.HTA
Note:
The attachment could look like one of the following:
Extended Mail File.HTA
Extended E-Mail File.HTA
Secure Mail File.HTA
Secure E-Mail File.HTA
Creates the following files:
%System%MS[RANDOM].exe
%System%MS[RANDOM]
%System%MS[RANDOM]32.DLL
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Loads %System%MS[RANDOM]32.DLL into all active processes and uses rootkit functionalities to hide its files and registry subkeys.
Adds the value:
"web" =
"68 74 74 70 3A 2F 2F 70 6F 70 63 61 70 66 72 65 65 2E 74 33 35 2E 63 6F 6D 2F 00"
to the registry subkey:
HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
Note: The above value is a hexadecimal representation of the ASCII string "[http://]popcapfree.t35.com/[REMOVED]".
Creates several registry subkeys containing configuration info, stolen passwords, accounts, and email addresses:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]dat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]cdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]fdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]
dat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]sdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]ldat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]gdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]pdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]udat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]idat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]ddat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]kdat
Adds the value:
"EnableFirewall" = "0"
to the registry subkeys:
HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsFirewallDomainProfile
HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsFirewallStandardProfile
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile
to disable the Windows Firewall.
Searches for folders that contain the following strings:
downloads
share
incoming
Copies itself to any folders that it finds as the following files:
3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip
Note: The .zip file contains a non-malicious text file that matches the name of the .zip file. It is reported that the text files name does not include the string "_new!_full+crack".
Lowers security settings on the compromised computer by ending security-related programs and by stopping services with names starting with one of the following strings:
armor2net
armorwall
avgcc
avp6
aws
bgnewsui
blackd
bullguard
ca
ccapp
ccevtmgr
ccproxy
ccsetmgr
dfw
dpf
fbtray
fireballdta
FirePM
firesvc
firewal
fsdfwd
fw
fwsrv
goldtach
hacker
hackereliminator
iamapp
iamserv
internet security
ipatrol
ipcserver
jammer
kaspe
kavpf
keylog
keypatrol
KmxAgent
KmxBiG
KmxCfg
KmxFile
KmxFw
KmxIds
KmxNdis
KmxSbx
kpf4gui
kpf4ss
leviathantrial
looknstop
mcafeefire
mpftray
netlimiter
npfc
npfmsg
npfsvice
npgui
opf
opfsvc
outpost
pavfnsvr
pccpfw
pcipim
pcIPPsC
persfw
rapapp
RapDrv
smc
sndsrvc
spfirewallsvc
spfw
sppfw
sspfwtry2
s-wall
symlcsvc
ton
tzpfw
umxtray
vipnet
vsmon
xeon
xfilter
zapro
zlclient
zonealarm
Deletes all the startup registry subkeys associated with these services under the following subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices[SERVICE NAME]
Starts a local Web server on TCP port 80. When a user connects to the Web server, it loads the .HTA file and also gives a link to offline.zip, which is a zip file containing the worm.
Gathers sensitive information from the compromised computer by monitoring open windows. This includes monitoring for WebMoney, ICQ, and cryptography key files.
Sends this information to a remote attacker.
To delete the value from the registry:
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
ShellServiceObjectDelayLoad
In the right pane, delete the value:
"[FILE NAME OF DLL WORM COMPONENT]" = "{[RANDOM CLSID]}"
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{CD5AC91B-AE7B-E83A-0C4C-E616075972F3}
In the right pane, delete the value:
"Stubpath" = "C:Recycleduserinit.exe"
Navigate to the subkey:
HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
In the right pane, delete the value:
"mal" = "[EMAIL ADDRESS OF RECIPIENT]"
Navigate to the subkey:
HKEY_CLASSES_ROOTCLSID{[RANDOM CLSID]}InprocServer32
In the right pane, delete the value:
"(default)" = "%System[PATH TO DLL WORM COMPONENT]"
Navigate to the subkey:
HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
In the right pane, delete the value:
"web" =
"68 74 74 70 3A 2F 2F 70 6F 70 63 61 70 66 72 65 65 2E 74 33 35 2E 63 6F 6D 2F 00"
Navigate to and delete the following subkeys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]dat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]cdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]fdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]
dat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]sdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]ldat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]gdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]pdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]udat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]idat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]ddat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]kdat
Exit the Registry Editor.
|
