high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 12 January 2006 18:33:27 (GMT) |
| Last updated | 11 May 2009 12:53:52 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for disinfecting PE executables.
More Information
W32/Feebs-Fam is a family of worms of the Windows platform.
Members of W32/Feebs-Fam typically arrive as an EXE or HTA attachment to an email. The HTA attachment will attempt to drop or download the EXE component. More details of the downloader components are listed below.
Members of W32/Feebs-Fam may also spread via file sharing on P2P networks.
When first run, members of W32/Feebs-Fam typically copy themselves to:
<System>\ms<xx>.exe
<System>\ms<xx>
and creates the file ms<xx>32.dll where <xx> are random characters and ms<xx>32.dll is a DLL component of the worm.
The following registry entry is usually created to run code exported by the worm library on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
ms<xx>32.dll
<random CLSID>
The file ms<xx>32.dll is usually registered as a COM object, creating registry entries under:
HKCR\CLSID\<random CLSID>\InprocServer32
Members of W32/Feebs-Fam usually copy itself to available shared folders as a ZIP file, often using some of the following filenames:
3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip
Members of W32/Feebs-Fam may harvest information from the infected computer and send stolen data to a remote user via FTP.
Members of W32/Feebs-Fam may also modify entries in the registry to bypass the Windows firewall.
The downloader components of W32/Feebs-Fam usually attempt to download one of several encoded executable files and decode it to C:\recycled\userinit.exe.
The downloader components of W32/Feebs-Fam may attempt delete the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\KmxFile
HKLM\SYSTEM\CurrentControlSet\Services\pcipim
HKLM\SYSTEM\CurrentControlSet\Services\pcIPPsC
HKLM\SYSTEM\CurrentControlSet\Services\RapDrv
HKLM\SYSTEM\CurrentControlSet\Services\FirePM
The downloader components of W32/Feebs-Fam may usually attempt to set the following registry entry in order to automatically start the file it has downloaded on system start:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\(CD5AC91B-AE7B-E83A-0C4C-E616075972F3)
Stubpath
C:\recycled\userinit.exe
|
