Sophos

W32/Febelneck-A

Aliases
  • W32.Febelneck@mm
  • I-Worm.Febelneck
Category
Type
What to do
Prevalence low high

Summary

 
Protection available since 4 August 2004 08:20:17 (GMT)
Detected by All Sophos products
Sophos beta program Sophos beta program
Register now for our latest beta tests
  • Endpoint Security and Control 9.0
  • Small business solutions 4.0

Action

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Protection = C:\Windows\system\Protection.exe

and delete it if it exists.

Close the registry editor.

  • Files deleted by W32/Febelneck-A should be restored from clean backups or the original installation media.
  • You should also check for any changes that the worm may have made to your system

More Information

W32/Febelneck-A is a worm that disguises itself as a zip file. It does this by associating a zip file icon with infected programs.

W32/Febelneck-A spreads by copying itself to the following predefined locations:

C:\windows\
C:\windows\system\
A:\

with a file name chosen from the list:

Mis Fotos.exe
Cancion.exe
Juego.exe
Pamela Anderson.exe
Fotos Locas.exe
Programa Automatizaci.exe
Importante.exe
Diablo II.exe
Resident Evil.exe
Registros IFE.exe
Mery Christmas.exe

In order to run automatically each time Windows is started, the worm sets the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Protection = C:\Windows\system\Protection.exe

W32/Febelneck-A may attempt to spread by emailing itself through Microsoft Outlook Express with one of the following subject lines:

Haber si te gustan mis fotos :|
Haber que te parezco ?
Hola, Pues aqui te las mando
No te vayas a burlar de mi :(
Soy de cara bonita :))

W32/Febelneck-A will attempt to disable anti-virus products by closing their windows and disabling their autostart registry entries.

The worm will attempt to change the name of the infected computer to "Nebelfleck"

W32/Febelneck-A may attempt to delete all files on the infected computer's hard-drive by running a file located at C:\obj.bat. This file should be deleted.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer