high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | October 2006 (4.10) |
| Protection available since | 13 August 2006 02:57:02 (GMT) |
| Last updated | 14 August 2006 05:39:24 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Feebs-BA is a worm for the Windows platform.
W32/Feebs-BA spreads via file sharing on P2P networks.
W32/Feebs-BA includes functionality to access the internet and communicate with
a remote server via HTTP.
W32/Feebs-BA copies itself to the Windows system folder as ms<two random
letters>.exe and creates the file ms<random characters>.dll, also detected as
W32/Feebs-BA.
W32/Feebs-BA also creates several copies of itself in ZIP format in paths
containing "share". The worm uses the following ZIP filenames:
3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip
The following registry entry is created to run code exported by the worm
library on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
ms<random characters>32.dll
(0D13BB81-D4DB-B06F-0AAF-613A52E287C3)
The dropped DLL file is registered as a COM object, creating registry entries
under:
HKCR\CLSID\(0D13BB81-D4DB-B06F-0AAF-613A52E287C3)
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\MSAE\
|
