Worm.Win32.Feebs.gt
From Total Malware Info
Worm that spreads own copies on the user’s hard drive and via file exchange networks. It is Windows executable file (PE EXE-file). File is 61 616 bytes in size, packed by Upack. Unpacked size ~339 900 bytes.
Installation
While launched, worm extracts from its body following file:
c:\a – is 60 119 bytes in size.
this is a Windows DLL file that contains main code of the worm. After extraction this file is loaded and used by worm’s loader.
Creates the following registry key to store own settings:
[HKLM\SOFTWARE\Microsoft\MSIT]
When loaded, the extracted DLL copies original worm EXE as:
%System%\ms**.exe
and its own file as:
%System%\ms**32.dll
where ** - are random letters.
Worm creates the following registry entries:
[HKCR\CLSID\<CLSID>] [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] ms**32.dll=<CLSID>
where <CLSID> is taken from the following registry key parameter:
[HKLM\SOFTWARE\Microsoft\MSIT] cls
so the worm executables would now be launched every time the windows starts.
Payload
Tries to hide its own process using undocumented function: RegisterServiceProcess.
Creates ZIP archives on the hard drive containing worm executable named “webinstall.exe” with the following file names:
3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip ACDSee_9_new!_full+crack.zip Adobe_Photoshop_10_(CS3)_new!_full+crack.zip Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip Ahead_Nero_8_new!_full+crack.zip DivX_7.0_new!_full+crack.zip ICQ_2006_new!_full+crack.zip Internet_Explorer_7_new!_full+crack.zip Kazaa_4_new!_full+crack.zip Longhorn_new!_full+crack.zip Microsoft_Office_2006_new!_full+crack.zip winamp_5.2_new!_full+crack.zip
these files are created in the following folders:
%WinDir%\downloaded program files %WinDir%\ime\shared %WinDir%\pchealth\uploadlb %WinDir%\pchealth\uploadlb\binaries %WinDir%\pchealth\uploadlb\config %WinDir%\pchealth\uploadlb\config\ %WinDir%\softwaredistribution\download %ProgramFiles%\movie maker\shared\ %ProgramFiles%\movie maker\shared\profiles
A list of created files worm stores in following registry key:
[HKLM\SOFTWARE\Microsoft\MSIT\sdat]
Scans files with the following extensions: .txt, .nfo, .htm for email addresses and stores found addresses in the following registry key:
[HKLM\SOFTWARE\Microsoft\MSIT\dat]
Deletes the following registry keys:
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{CD5AC91B-AE7B-E83A-0C4C-E616075972F3}]
[HKCR\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\Implemented Categories\
{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\Implemented Categories\
{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
Loads own DLL file to all running processes except:
svchost.exe smss.exe csrss.exe
Installs API hooks on the following functions:
send gethostbyname HttpOpenRequestW HttpOpenRequestA HttpSendRequestW HttpSendRequestA InternetReadFile ZwQuerySystemInformation OpenProcess FindFirstFileW FindFirstFileA FindNextFileW FindNextFileA RegEnumKeyA RegEnumKeyW RegEnumKeyExA RegEnumKeyExW RegEnumValueA RegEnumValueW
Hook procedure for the following functions:
send gethostbyname HttpOpenRequestW HttpOpenRequestA HttpSendRequestW HttpSendRequestA
Gathers the function argument values and spies the user activity on the internet.
Hook procedure for the following functions:
FindFirstFileW FindFirstFileA FindNextFileW FindNextFileA
filters the argument data and wipes out the values that contain following strings:
ms**.exe ms**32.dll msmy.db ms**
and in such way hides worm files on the hard disk.
Hook procedure for the following functions:
RegEnumKeyA RegEnumKeyW RegEnumKeyExA RegEnumKeyExW RegEnumValueA RegEnumValueW
filters the argument data and wipes out the values that contain following strings:
[HKLM\SOFTWARE\Microsoft\MSIT] [HKCR\CLSID\<CLSID>]
and in such way hides worm registry keys from registry editors.
Hook procedure for the following function:
OpenProcess
hides worm process in task manager
Removal Instructions
- To remove this worm you should use special anti-virus software or consult with anti-virus experts
