W32/Feebs-E

Please follow the instructions for removing worms.

W32/Feebs-E is a worm for the Windows platform.

The worm may arrive as an attachment to an email claiming to be sent via "Protected Message service" with bogus credentials. The message may lure the recipient into entering the supplied credentials into an attached HTML document.

W32/Feebs-E spreads via file sharing on P2P networks. W32/Feebs-E is a worm for the Windows platform.

The worm may arrive as an attachment to an email claiming to be sent via "Protected Message service" with bogus credentials. The message may lure the recipient into entering the supplied credentials into an attached HTML document.

W32/Feebs-E spreads via file sharing on P2P networks.

When first run W32/Feebs-E copies itself to:

<System>\ms<xx>.exe
<System>\ms<xx>

and creates the <System>\ms32.dll where are random characters and ms32.dll is a DLL component of the worm.

The following registry entry is created to run code exported by the worm library on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
ms<xx>32.dll
<random CLSID>

The file ms<xx>32.dll is registered as a COM object, creating registry entries under:

HKCR\CLSID\<random CLSID>\InprocServer32

W32/Feebs-E copies itself to the available shared folders using the following filenames:

3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\MSAE\