high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 13 March 2006 20:59:42 (GMT) |
| Last updated | 23 March 2006 13:57:27 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Feebs-M is a worm for the Windows platform.
W32/Feebs-M spreads via file sharing on P2P networks.
When first run W32/Feebs-M creates the following files:
<Windows system folder>\msoe
<Windows system folder>\msry.exe
<Windows system folder>\msdy32.dll
Each of these files is also detected as W32/Feebs-M.
W32/Feebs-M creates archives with the following names in the shared folders of popular P2P applications:
3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip
Each of these archives contains the W32/Feebs-M executable and a text file claiming to be a serial number.
The following registry entry is created to run code exported by the worm library on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
msdy32.dll
{18D587C0-5332-89C5-61AE-0A734D699959}
The file msdy32.dll is registered as a COM object, creating registry entries under:
HKCR\CLSID\{18D587C0-5332-89C5-61AE-0A734D699959}
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\MSAE\sdat
|
