W32/Feebs-Gen

Please follow the instructions for removing worms.

The name W32/Feebs-Gen is used where a file belongs to a particular family of worms, but the variant is not separately identified. Sophos's proactive protection technology will identify such files as a -Gen variant.

1. Ensure that you are using the most recent IDE files, as more precise detection could now be available. If necessary
   • update with the latest IDE files and
   • repeat the scan.


2. Please send us a sample to assist in improving our technology.
3. Use the instructions for removing generically detected files to delete the file from your computer.
4. If you require further assistance with disinfection, contact support.

W32/Feebs-Gen is a family of worms of the Windows platform.

Members of W32/Feebs-Gen typically arrive as an attachment to an email claiming to be sent via "Protected E-Mail service" with bogus credentials. The message may lure the recipient into entering the supplied credentials into an attached HTML document.

Members of W32/Feebs-Gen may also spread via file sharing on P2P networks and may download additional files. W32/Feebs-Gen is a family of worms of the Windows platform.

Members of W32/Feebs-Gen typically arrive as an EXE or HTA attachment to an email. The HTA attachment will attempt to drop or download the EXE component. More details of the downloader components are listed below.

Members of W32/Feebs-Gen may also spread via file sharing on P2P networks.

When first run, members of W32/Feebs-Gen typically copy themselves to:

<System>\ms<xx>.exe
<System>\ms<xx>

and create the file ms<xx>32.dll where <xx> are random characters and ms<xx>32.dll is a DLL component of the worm.

The following registry entry is usually created to run code exported by the worm library on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
ms<xx>32.dll
<random CLSID>

The file ms<xx>32.dll is usually registered as a COM object, creating registry entries under:

HKCR\CLSID\<random CLSID>\InprocServer32

Members of W32/Feebs-Gen usually copy itself to available shared folders as a ZIP file, often using some of the following filenames:

3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip

Members of W32/Feebs-Gen may harvest information from the infected computer and send stolen data to a remote user via FTP.

Members of W32/Feebs-Gen may also modify entries in the registry to bypass the Windows firewall.

The downloader components of W32/Feebs-Gen usually attempt to download one of several encoded executable files and decode it to C:
\recycled\userinit.exe.

The downloader components of W32/Feebs-Gen may attempt delete the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\KmxFile
HKLM\SYSTEM\CurrentControlSet\Services\pcipim
HKLM\SYSTEM\CurrentControlSet\Services\pcIPPsC
HKLM\SYSTEM\CurrentControlSet\Services\RapDrv
HKLM\SYSTEM\CurrentControlSet\Services\FirePM

The downloader components of W32/Feebs-Gen may usually attempt to set the following registry entry in order to automatically start the file it has downloaded on system start:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\(CD5AC91B-
AE7B-E83A-0C4C-E616075972F3)
Stubpath
C:\recycled\userinit.exe