Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Feebs

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Opens backdoor port, disables security software
Detection files published 22 Dec 2005 03:00:00
Description created 27 Jan 2006 12:11:00
Description updated 27 Jan 2006 12:11:00
Malware type WORM
Alias Win32/Mocalo
W32/Kmax
Win32.HLLM.Graz
Spreading mechanism EMAIL
OTHER
Summary None

W32/Feebs

Spreading

File system changes:
When run, Feebs will normally copy some components to the Windows System folder, hereafter called , using the name (XX denotes random letters):
MSXX.EXE (worm copy)
MSXX (same>
MSXX32.DLL (a rootkit component)
Email spreading:
The worm sends itself to email addresses found on the local system. Emails are variable, constructed from string segments. Attachment will be a ZIP file containing a HTA file with a polymorphic script that will download and execute the worm. It will also hook the Send function in Winsock, so that it can insert itself in outgoing mails. In those cases, the mail will look like any regular mail with a ZIP attachments.
An example email is shown below.
Subject:   Protected E-mail from MSN.com user.
Body:
ID: 47023
Password: qfvsrfbhh
Message is attached.
Sincerely,
Encrypted E-mail System,
MSN.com
Attachment: message.zip
Peer-to-peer (P2P) spreading:
It will traverse the disk, looking for file share folders of different kinds (containing the words "share", "download", "upload"), and make multiple archives with copies of itself there. In these cases it will normally use names like:
3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip
These files contain a copy of the worm with the name webinstall.exe, and a small text file.
Registry changes:
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\msXX32.dll
HKCC\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable = 0x0
HKCR\CLSID\{random CLSID}\InprocServer32\(Default)  = \msXX32.dll
HKCR\CLSID\{random CLSID}\InprocServer32\ThreadingModel =  "Both"
HKCU\Software\Microsoft\Internet Explorer\web = http://popcapfree.[removed]/

HKLM\Software\Microsoft\MSXX\dir  =  \drivers\msxx
HKLM\Software\Microsoft\MSXX\exe = msxx.exe
HKLM\Software\Microsoft\MSXX\dll = msxx32.dll
HKLM\Software\Microsoft\MSXX\buf = msxx.db
HKLM\Software\Microsoft\MSXX\clo = msxx
HKLM\Software\Microsoft\MSXX\cls = random CLSID used
HKLM\Software\Microsoft\MSXX\port = backdoor port
HKLM\Software\Microsoft\MSXX\pid = process id of process containing malicious thread which is protected by rootkit
HKLM\Software\Microsoft\MSXX\net 
HKLM\Software\Microsoft\MSXX\drx
HKLM\Software\Microsoft\MSXX\fst
HKLM\Software\Microsoft\MSXX\ver
HKLM\Software\Microsoft\MSXX\\cd
HKLM\Software\Microsoft\MSXX\duc
HKLM\Software\Microsoft\MSXX\huk
HKLM\Software\Microsoft\MSXX\inv
HKLM\Software\Microsoft\MSXX\mti
HKLM\Software\Microsoft\MSXX\sca
HKLM\Software\Microsoft\MSXX\ton
HKLM\Software\Microsoft\MSXX\usc
HKLM\Software\Microsoft\MSXX\use
HKLM\Software\Microsoft\MSXX\uzc

HKLM\Software\Microsoft\MSXX\dat\    (contains harvested email addresses)
HKLM\Software\Microsoft\MSXX\fdat\  
HKLM\Software\Microsoft\MSXX\ldat\
HKLM\Software\Microsoft\MSXX\sdat\ (contains information about share folder infections to be protected by rootkit)
The worm also continuously goes through a long list of registry keys belonging to a lot of various services and deletes the "FailureAction" subkey.

Payload Details

The worm sets up an open backdoor on the infected machine which may allow an attacker to get access to it, and also a small http server is started on port 80 to serve out a copy of the worm. The worm also attacks certain security-related software by terminating processes and deleting registry keys, and by blocking their network communication.

Analysis

n/a

Removal

The first variant in this series was added to our defs December 23, 2005. However, new variants have frequently been seen since.


Last Updated: 12 Nov 2015 11:06:12