Checking my junk mail today, I noticed this email:

Encrypted Mail System

Noticing it had a large attachment, and being in an idle mood, I checked if my ISP’s AV had spotted it (presuming it was a virus) and it hadn’t.

Downloading the file, I found neither avast! or Ewido spotted it.

An online test confirmed it is malware.

The folder name is data.zip.

If the above email arrives in your inbox with the same attachment, watch out!

Of course, this confirms the need for a good spam filter, as this got diverted to my junk mail folder, and the importance of not opening attachments.

I’ve submitted the file to avast! and Ewido, and will see who adds it first!

Hi FwF,

This virus is a variant of Sober, like the W32.Sober.X@mm or W32/SOBER(X,Z), Win32.Sober W. The name of the sender is falsified, do not open attachments even if the mail seems to come from somebody known to you. The actual virus is located inside a zip-file that is sent through e-mail. Opening the attachment infects the computer. These zip-files are specially manipulated files with names like: email.zip, ebay.zip, reg_pass-zip, Ebay-User_RegC.zip, reg_pass_data.zip, mail.zip.mail_body.zip, mailtest.zip & download.zip.
For removal tool for this new sober variant:
http://vil.nai.com/vil/stinger/

polonus

10.00 Update: This file is now detected by Ewido.

This is the sort of speed avast! needs to achieve with additions to definitions of submitted files, IMHO.

This folder is now detected by my ISP AV (Norton) as W32.Feebs.

Still undetected by avast!

As Feebs is listed on the avast! home page as one of the latest threats, I’m somewhat disappointed by the result of this little experiment.

http://donaldbroatch.users.btopenworld.com/datazip.jpg

Yes somewhat disappointing, however, since VirusTotal is still using version 4.6.695, I wonder how up to date the VPS is that they are using, unless the Update date relates to signature files ?

Hello DavidR,

I do not know what the situation is right now, because yes it is critical for both the damage potential and distribution potential of this worm, is mentioned as high. Propagation is both via email and peer2peer networks. The propagation technique is similar to that of WORM BAGLE, the vector this time is malicious JavaScript in stead of a trojan dropper. The said JavaScript is found up as JS FEEBS.AF. It sends copies of aforementioned script through its own smtp-engine, and also drops copies in ZIP.archives with the string DOWNLOADS inside to other target systems in an affected peer2peer network.

The actual technical details for Arrival and Installation

This memory-resident worm arrives on an affected system as a file downloaded from the Internet by a malicious JavaScript, which Trend Micro detects as JS_FEEBS.AF. Upon execution, it drops the following files in the Windows system folder:

* Ms{two random characters} - copy of itself
* Ms{two random characters}.exe - copy of itself
* Ms{two random characters}32.dll - also detected as WORM_FEEBS.AF 

This worm injects Ms{two random characters}32.dll into EXPLORER.EXE to hide its process. Once it successfully injects the said file, it then ensures its automatic execution at every system startup. It does the said actions by creating the following registry entries, respectively:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes
CLSID{random CLSID}\InprocServer32
@ = “%System%\Ms{two random characters}32.dll”

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
Windows\CurrentVersion\ShellServiceObjectDelayLoad
Ms{two random characters}32.dll = “{random CLSID}”

Furthermore, it adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
MS{two random characters}\dat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
MS{two random characters}\sdat

For Propagation Routines

This worm employs a propagation technique similar to that used by certain WORM_BAGLE variants. Its difference lies in its usage of a malicious JavaScript instead of a Trojan to download copies of itself from a certain location onto the affected system. The said JavaScript is detected by Trend Micro as JS_FEEBS.AF. Once this worm executes, it sends out copies of JS_FEEBS.AF to target recipients via email using its own Simple Mail Transfer Protocol (SMTP) engine. Through this SMTP engine, it is able to easily send email messages even without using other mailing applications.

The said email message it sends out has the following details:

From: Id{random number} (appended with any of the following)

• @aol.com
• @gmail.com
• @hotmail.com
• @msn.com
• @yahoo.com

Subject: (any combination from the three sets listed below)

Set 1
• Encrypted
• Extended
• Protected
• Secure

Set 2
• E-mail
• Html
• Mail
• Message

Set 3
• {none}
• From {random domain name} user
• Service
• Service {random domain name}
• System

Message body:

Subject: happy new year
ID: {random}
Password: {random}
Message is attached.

Best Regards,
{Same name as the From field},
{Same domain name as the From field}

Attachment: (any of the following)

• data.zip
• mail.zip
• message.zip
• msg.zip

The attachment of the spammed email message contains an .HTA file, which is actually a copy of JS_FEEBS.AF. The name of the said .HTA file is any combination from the two sets listed below:

* Set 1
      o Encrypted
      o Extended
      o Protected
      o Secure
* Set 2
      o E-mail
      o Html
      o Mail
      o Message

This worm also drops any of the following .ZIP archives into folders containing the string DOWNLOADS:

* 3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
* ACDSee_9_new!_full+crack.zip
* Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
* Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
* Ahead_Nero_8_new!_full+crack.zip
* DivX_7.0_new!_full+crack.zip
* ICQ_2006_new!_full+crack.zip
* Internet_Explorer_7_new!_full+crack.zip
* Kazaa_4_new!_full+crack.zip
* Longhorn_new!_full+crack.zip
* Microsoft_Office_2006_new!_full+crack.zip
* winamp_5.2_new!_full+crack.zip 

The abovementioned .ZIP archives contain the following files:

* webinstall.exe - copy of this worm
* {File name of the .ZIP file without the string _new!_full+crack}.txt - a non malicious text file

This worm is working under the assumption that folders with the said string are folders shared within peer-to-peer (P2P) networks. By dropping its copies on the said locations, it may extend its propagation reach to other targets systems within the affected P2P network. Note that the file names used by this worm’s dropped copies are like the names of popular applications, which may trick an affected user into thinking that the said files are not threats to the system.

Affected Platforms

This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003. The worm was detected by Trend-Micro in January of this year.

polonus

Well I have just done a search for FEEBS in the avast virus database and it returns 60 hits, the last 4 being feebs-dll-gen, feebs-gen, feebs-gen3 and feebs-gen3.

So it looks like some generic detections are also being thrown into the mix, these gen signatures being added on 20/04/2006

Avast’s generic detection on FEEBs variant’s isn’t best yet …

i have over 2 dozens which are undetected so far by avast … (all I sent to Alwil already in past)

Hi Dwarden,

Well there is something going on like with the MyTob family of viruses, Feebs at that time had over 30 variants, read what idefense had to say regarding the Feebs family:
http://www.idefense.com/intelligence/maliciouscode/display.php?id=396

Variants change every fortnight, and are re-packed:
http://www.virusbuster.hu/en/viruslab/descriptions/polyhtml.d

Actually all the feebs variants are cleverly obfuscated javascript
using VSB script on the bits and pieces, how it was done you can read in detal from here (I did not put a direct link here, google for it) at: (asert.arbornetworks.com/feed/+feebs+variants)

polonus

P.S. Funny we see a re-surfage of the polymorphic viruses, or have they ever been away?

there are at least 40 feebs variants and each is repacked in over than dozen executable packers etc …
so yes they pain in ass …

I tried out antivir while avast was throwing its recent wobbly and it picked up my Feebs sample with only a Feebs/gen definition.

Well with 60 avast signatures and 4 of those generic for feebs variants plus the couple of dozen (avast doesn’t catch) that you have that is at the very least 84 not counting what variants that the gen signatures do catch.
So they are a quickly replicating variants, as you say a pain in the rear.

Hi DavidR and also very interesting for FwF,

Go to this link: http://asert.arbornetworks.com/?s=feebs+variants&x=0&y=0

Here you can read how the feebs variants are being constructed.
Again here we must thank the developer of NoScript in the Mozilla type of browser. A deadly concoction here of malicious JavaScript and VB. Here is a particular Feebs variant signature for ClamWin:
JS.Feebs-C.variant-ec:3:*:756e6573636170652822(253636|66)(253735|75)(253645|6e)(253633|63 \ So like this there must be a couple of dozen more.

polonus

Yes very interesting.

Got a new variant in my mailbox today. Symantec missed it again. Antivir and AVG’s generic definitions picked it up but avast! missed it.

http://donaldbroatch.users.btopenworld.com/feebs.jpg

Will I see the day that NOD32 and Kaspersky do not detect a malware? ;D

well i yesterday got another new variant (not subvariant) … oh well

I think I was wrong to call the file I got a new variant: rather each HTML file sent out is different because this is a polymorphic worm.

In another thread we read that avast! has successfully identified the polymorphic virus Polipos: a generic detection of this worm (which Antivir and AVG manage) is needed.

No rest for the virus analyst!!