Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


FEEBS WORM SPREADS IN THE WILD

Virus Name  : Worm.Win32.Feebs.Gen

Alias             : Win32/Mocalo, W32/Kmax, Win32.HLLM.Graz, W32.Feebs, JS/Feebs

Virus type    : Internet Worm

Threat level : Medium

Virus details :

                     Feebs is a family of e-mail and peer to peer (P2P) worm. It arrives as an e-mail attachment with a ZIP file containing Html application file (HTA). Feebs uses rootkit techniques to avoid detection. It also disables security related programs.

                     When the worm file is executed it copies worm components to Windows system folder as

MS[random characters].exe
MS[random characters]32.dll
MS[random characters]
C:\Recycled\Userinit.exe or C:\Command.exe [ Few varients of feebs worm copies itself in this name ]

                     Feebs worm modifies several registry keys to load automatically on the next startup. The registry modification is given below.

[HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"%System%\ms[random characters]32.dll" = "{[random CLSID]}"

[HKML\CLSID\{[random CLSID]}\InprocServer32]
"(default)" = "%System%\ms[random characters]32.dll"

[ By default, %SYSTEM% will be C:\Windows\System in case of Windows 95/98/ME, C:\Winnt\System32 in case of Windows NT/2000 and C:\Windows\System32 in case of Windows XP ]

The infected mail sample is given below

                    Feebs worm uses Winsock to send infected attachments with HTA dropper. It tries to terminate security programs in the infected system. Feebs contains backdoor abilities and it opens HTTP port 80. It allows hackers to upload and steal files from the infected computer.

                    Feebs searches C to Z drives and copies itself to folders containing the string "share", "upload" or "sharing". This string search allows the worm to spread using file sharing networks like KaZaA and imesh. The worm uses following files names from the list

3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip

How can I protect my system?

                   Solo has incorporated Worm.Win32.Feebs.Gen and its variants in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this Worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this Worm?

                   If you are already infected with this Worm, you can remove it from your computer using Solo Antivirus software. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer. Solo antivirus can detect and eliminate Worm.Win32.Feebs.Gen safely.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link