|
Tuesday, 17 January 2006 |
W32.Feebs.J@mm is a mass-mailing worm that also spreads through file-sharing networks and lowers security settings on the compromised computer.
Type: Worm
Infection Length: 56,214 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Damage
Payload Trigger: n/a
Payload: Starts a local Web server.
Large scale e-mailing: Sends a copy of itself to email addresses gathered from the compromised computer.
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: Sends confidential information to a remote attacker.
Compromises security settings: Modifies firewall settings.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP Port 80.
Shared drives: n/a
Target of infection: n/a
When W32.Feebs.J@mm is executed, it performs the following actions:
Arrives as an attachment with a .HTA extension. When the .HTA file is viewed, a malicious JavaScript downloads a base-64 encoded file from one or more of the following locations:
[http://]kool.1gb.ru/[REMOVED]/1.txt
[http://]xup.hut2.ru/[REMOVED]/1.txt
[http://]ilovet35.t35.com/[REMOVED]/code.c
http://]hynvtyxdqv.newmail.ru/[REMOVED]/1.txt
[http://]hpm.siteburg.com/[REMOVED]/1.txt
Extracts a Windows executable file from the base-64 encoded file and saves it as:
C:
ecycleduserinit.exe
Adds the value:
"Stubpath" = "C:Recycleduserinit.exe"
to the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{CD5AC91B-AE7B-E83A-0C4C-E616075972F3}
Adds the values:
"mal" = "[EMAIL ADDRESS OF RECIPIENT]"
"web" = "68 74 74 70 3A 2F 2F 70 6F 70 63 61 70 66 72 65 65 2E 74 33 35 2E 63 6F 6D 2F 00"
to the registry subkey:
HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
Adds the value:
"(default)" = "%System[PATH TO DLL WORM COMPONENT]"
to the registry subkey:
HKEY_CLASSES_ROOTCLSID{[RANDOM CLSID]}InprocServer32
so that it runs every time Windows starts.
Adds the value:
"[FILE NAME OF DLL WORM COMPONENT]" = "{[RANDOM CLSID]}"
to the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion ShellServiceObjectDelayLoad
so that it runs every time Windows starts.
Sends emails to all addresses found on the compromised computer. The email has the following characteristics:
From:
The from address is a combination of one of the following names with one of the following domain names:
Names:
protect
secur
security
securmail
Domains:
@hotmail.com
@gmail.com
@aol.com
@msn.com
@yahoo.com
Subject:
One of the following:
happy new year
[STRING 1] [STRING 2] [STRING 3]
Where [STRING 1] is one of the following:
Secure
Protected
Encrypted
Extended
[STRING 2] is one of the following:
Mail
E-Mail
Message
Html
[STRING 3] is one of the following:
[BLANK]
System
Service
Service ([DOMAIN])
from [DOMAIN] user.
[STRING 4] is one of the following:
Thank you
Sincerely
Best Regards
Note: The subject could look like one of the following:
Protected Message from Gmail.com user.
Secure Mail Service (HotMail.com)
Encrypted E-mail from Yahoo.com user.
Message:
ID: [RANDOM NUMBERS]
Password: [RANDOM LETTERS]
Message is attached.
[STRING 4]
[STRING 1] [STRING 2] [STRING 3],
[DOMAIN]
Note: The message could look like the following:
ID: 41986
Password: zmekjgldj
Message is attached.
Thank you,
Protected E-mail Service,
Gmail.com
Attachment :
One of the following:
msg.zip
message.zip
data.zip
mail.zip
The attachment either contains the worm as an .HTA file or the downloader coponent of the worm as an .HTA file with the following name:
[STRING 1] [STRING 2] File.HTA
Note:
The attachment could look like one of the following:
Extended Mail File.HTA
Extended E-Mail File.HTA
Secure Mail File.HTA
Secure E-Mail File.HTA
Creates the following files:
%System%MS[RANDOM].exe
%System%MS[RANDOM]
%System%MS[RANDOM]32.DLL
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Loads %System%MS[RANDOM]32.DLL into all active processes and uses rootkit functionalities to hide its files and registry subkeys.
Creates several registry subkeys containing configuration info, stolen passwords, accounts, and email addresses:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]dat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]cdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]fdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]
dat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]sdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]ldat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]gdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]pdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]udat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]idat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]ddat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]kdat
Modifies the value:
"EnableFirewall" = "0"
in the registry subkeys:
HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsFirewallDomainProfile
HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsFirewallStandardProfile
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile
to disable the Windows Firewall.
Searches for folders that contain the following strings:
downloads
share
incoming
Copies itself to any folders that it finds as the following files:
3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip
The .zip file contains a non-malicious text file that matches the name of the .zip file. It is reported that the text files name does not include the following string:
_new!_full+crack
Attempts to delete the following files related to security programs:
c:program filessymantecliveupdatelucomserverps*.dll
c:program filessymantecliveupdateproductregcom*.dll
Attempts to lower security settings on the compromised computer by ending security-related programs and by stopping services with names starting with one of the following strings:
armor2net
armorwall
avgcc
avp6
aws
bgnewsui
blackd
bullguard
ca
ccapp
ccevtmgr
ccproxy
ccsetmgr
dfw
dpf
fbtray
filemon
fireballdta
FirePM
firesvc
firewal
fsdfwd
fw
fwsrv
goldtach
hacker
hackereliminator
iamapp
iamserv
internet security
ipatrol
ipcserver
jammer
kaspe
kavpf
keylog
keypatrol
KmxAgent
KmxBiG
KmxCfg
KmxFile
KmxFw
KmxIds
KmxNdis
KmxSbx
kpf4gui
kpf4ss
leviathantrial
looknstop
mcafeefire
mpftray
netlimiter
npfc
npfmsg
npfsvice
npgui
opf
opfsvc
outpost
pavfnsvr
pccpfw
pcipim
pcIPPsC
persfw
rapapp
RapDrv
regmon
smc
sndsrvc
spfirewallsvc
spfw
sppfw
sspfwtry2
s-wall
symlcsvc
ton
tzpfw
umxtray
vipnet
vsmon
xeon
xfilter
zapro
zlclient
zonealarm
Deletes all the startup registry subkeys associated with these services under the following subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices[SERVICE NAME]
Starts a local Web server on TCP port 80. When a user connects to the Web server, it loads the .HTA file and also gives a link to offline.zip, which is a zip file containing the worm.
May gather sensitive information from the compromised computer by monitoring open windows. This includes monitoring for WebMoney, ICQ, and cryptography key files. This information can then be sent to a remote attacker.
To delete the value from the registry:
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
ShellServiceObjectDelayLoad
In the right pane, delete the value:
"[FILE NAME OF DLL WORM COMPONENT]" = "{[RANDOM CLSID]}"
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{CD5AC91B-AE7B-E83A-0C4C-E616075972F3}
In the right pane, delete the value:
"Stubpath" = "C:Recycleduserinit.exe"
Navigate to the subkey:
HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
In the right pane, delete the values:
"mal" = "[EMAIL ADDRESS OF RECIPIENT]"
"web" =
"68 74 74 70 3A 2F 2F 70 6F 70 63 61 70 66 72 65 65 2E 74 33 35 2E 63 6F 6D 2F 00"
Navigate to the subkey:
HKEY_CLASSES_ROOTCLSID{[RANDOM CLSID]}InprocServer32
In the right pane, delete the value:
"(default)" = "%System[PATH TO DLL WORM COMPONENT]"
Navigate to and delete the following subkeys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]dat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]cdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]fdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]
dat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]sdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]ldat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]gdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]pdat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]udat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]idat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]ddat
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMS[RANDOM 2 LETTERS]kdat
Exit the Registry Editor.
5. To reenable the SharedAccess service (Windows 2000/XP only)
The SharedAccess service is responsible for maintaining Internet Connection Sharing and the Windows Firewall/Internet Connection Firewall applications in Windows. (The presence and names of these applications vary depending on the operating system and service pack you are using.) To protect your computer and maintain network functionality, re-enable this service if you are using any of these programs.
Windows XP Service Pack 2
If you are running Windows XP with Service Pack 2 and are using the Windows Firewall, the operating system will alert you when the SharedAccess service is stopped, by displaying an alert balloon saying that your Firewall status is unknown. Perform the following steps to ensure that the Windows Firewall is re-enabled:
Click Start > Control Panel.
Double-click the Security Center.
Ensure that the Firewall security essential is marked ON.
Note: If the Firewall security essential is marked on, your Windows Firewall is on and you do not need to continue with these steps.
If the Firewall security essential is not marked on, click the "Recommendations" button.
Under "Recommendations," click Enable Now. A window appears telling you that the Windows Firewall was successfully turned on.
Click Close, and then click OK.
Close the Security Center.
Windows 2000 or Windows XP Service Pack 1 or earlier
Complete the following steps to re-enable the SharedAccess service:
Click Start > Run.
Type services.msc
Then click OK.
Do one of the following:
Windows 2000: Under the Name column, locate the "Internet Connection Sharing (ICS)" service and double-click it.
Windows XP: Under the Named column, locate the "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)" service and double-click it.
Under "Startup Type:", select "Automatic" from the drop-down menu.
Under "Service Status:", click the Start button.
Once the service has completed starting, click OK.
Close the Services window.
|
|
|
