W32/Feebs-BO

Please follow the instructions for removing worms.

W32/Feebs-BO is an email and P2P worm for the Windows platform.

W32/Feebs-BO includes functionality to access the internet and communicate with a remote server via HTTP.

When run, the worm creates the files mslm32.dll and msya.exe in the system folder, and userinit.exe in C:\recycled. All dropped files are already detected as Mal/Packer.

(system)\msya.exe
(system)\mslm32.dll
C:\recycled\userinit.exe

The following Registry entries in order that the dll is subsequently loaded:

HKCR\CLSID\(F2AC35FB-6CE1-A1B2-6361-51AF16EB0286)\InprocServer32
(system)\mslm32.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
mslm
(F2AC35FB-6CE1-A1B2-6361-51AF16EB0286)

W32/Feebs-BO also drops multiple zip files containing a copy of the worm, using various enticing filenames. For example:

Ahead_Nero_8_new!_full+crack.zip
DivX_8.0_new!_full+crack.zip
ICQ_2007_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
Vista_Final_new!_full+crack.zip
winamp_7_new!_full+crack.zip

The file within these archives is identical to msya.exe, and is already detected as Mal/Packer.

Configuration data is stored in the system Registry, within the following key:

HKLM\SOFTWARE\Microsoft\MSGW