Sophos

W32/Feebs-BO

Aliases
  • Worm.Win32.Feebs.gen
  • JS/Feebs.gen.x@MM
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Email attachments
Affected operating systems Windows
Characteristics
  • Drops more malware
Protection available since 23 April 2007 23:38:00 (GMT)
Detected by All Sophos products
Sophos beta program Sophos beta program
Register now for our latest beta tests
  • Endpoint Security and Control 9.0
  • Small business solutions 4.0

Action

More Information

W32/Feebs-BO is an email and P2P worm for the Windows platform.

W32/Feebs-BO includes functionality to access the internet and communicate with a remote server via HTTP.

When run, the worm creates the files mslm32.dll and msya.exe in the system folder, and userinit.exe in C:\recycled. All dropped files are already detected as Mal/Packer.

(system)\msya.exe
(system)\mslm32.dll
C:\recycled\userinit.exe

The following Registry entries in order that the dll is subsequently loaded:

HKCR\CLSID\(F2AC35FB-6CE1-A1B2-6361-51AF16EB0286)\InprocServer32
(system)\mslm32.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
mslm
(F2AC35FB-6CE1-A1B2-6361-51AF16EB0286)

W32/Feebs-BO also drops multiple zip files containing a copy of the worm, using various enticing filenames. For example:

Ahead_Nero_8_new!_full+crack.zip
DivX_8.0_new!_full+crack.zip
ICQ_2007_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
Vista_Final_new!_full+crack.zip
winamp_7_new!_full+crack.zip

The file within these archives is identical to msya.exe, and is already detected as Mal/Packer.

Configuration data is stored in the system Registry, within the following key:

HKLM\SOFTWARE\Microsoft\MSGW

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer