W32/Feebs-J

Please follow the instructions for removing worms.

W32/Feebs-J is a worm for the Windows platform.

The worm may arrive as an attachment to an email claiming to be sent via "Protected E-Mail service" with bogus credentials. The message may lure the recipient into entering the supplied credentials into an attached HTML document.

W32/Feebs-J spreads via file sharing on P2P networks by coping itsefl to the available shared folders with the following filenames:

3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip

W32/Feebs-J may also harvest information from the infected computer and send stolen data to a remote user via FTP.

When first run W32/Feebs-J copies itself to:

<Windows system folder>\mskj.exe
<Windows system folder>\msma

and creates the file:

<Windows system folder>\mspc32.dll

The following registry entry is created to run code exported by the worm library on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
mspc32.dll
{8EBB4EC4-DD60-E1B1-E00E-DA54CCE9218D}

The file mspc32.dll is registered as a COM object, creating registry entries under:

HKCR\CLSID\{8EBB4EC4-DD60-E1B1-E00E-DA54CCE9218D}

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\MSAE\sdat\<Program Files>\<application name>\<shared folder>

<filename>.zip

where <filename>.zip is the packed worm copy with the name chosen from the list above.

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\MSAE\