Avast WEBforum
Other => Viruses and worms => Topic started by: FreewheelinFrank on April 04, 2006, 05:16:39 PM
-
Checking my junk mail today, I noticed this email:
Encrypted Mail System
Noticing it had a large attachment, and being in an idle mood, I checked if my ISP's AV had spotted it (presuming it was a virus) and it hadn't.
Downloading the file, I found neither avast! or Ewido spotted it.
An online test confirmed it is malware.
The folder name is data.zip.
If the above email arrives in your inbox with the same attachment, watch out!
Of course, this confirms the need for a good spam filter, as this got diverted to my junk mail folder, and the importance of not opening attachments.
I've submitted the file to avast! and Ewido, and will see who adds it first!
-
Hi FwF,
This virus is a variant of Sober, like the W32.Sober.X@mm or W32/SOBER(X,Z), Win32.Sober W. The name of the sender is falsified, do not open attachments even if the mail seems to come from somebody known to you. The actual virus is located inside a zip-file that is sent through e-mail. Opening the attachment infects the computer. These zip-files are specially manipulated files with names like: email.zip, ebay.zip, reg_pass-zip, Ebay-User_RegC.zip, reg_pass_data.zip, mail.zip.mail_body.zip, mailtest.zip & download.zip.
For removal tool for this new sober variant:
http://vil.nai.com/vil/stinger/
polonus
-
10.00 Update: This file is now detected by Ewido.
This is the sort of speed avast! needs to achieve with additions to definitions of submitted files, IMHO.
-
This folder is now detected by my ISP AV (Norton) as W32.Feebs.
-
Still undetected by avast!
-
As Feebs is listed on the avast! home page as one of the latest threats, I'm somewhat disappointed by the result of this little experiment. :'(
(http://donaldbroatch.users.btopenworld.com/datazip.jpg)
-
Yes somewhat disappointing, however, since VirusTotal is still using version 4.6.695, I wonder how up to date the VPS is that they are using, unless the Update date relates to signature files ?
-
Hello DavidR,
I do not know what the situation is right now, because yes it is critical for both the damage potential and distribution potential of this worm, is mentioned as high. Propagation is both via email and peer2peer networks. The propagation technique is similar to that of WORM BAGLE, the vector this time is malicious JavaScript in stead of a trojan dropper. The said JavaScript is found up as JS FEEBS.AF. It sends copies of aforementioned script through its own smtp-engine, and also drops copies in ZIP.archives with the string DOWNLOADS inside to other target systems in an affected peer2peer network.
The actual technical details for Arrival and Installation
This memory-resident worm arrives on an affected system as a file downloaded from the Internet by a malicious JavaScript, which Trend Micro detects as JS_FEEBS.AF. Upon execution, it drops the following files in the Windows system folder:
* Ms{two random characters} - copy of itself
* Ms{two random characters}.exe - copy of itself
* Ms{two random characters}32.dll - also detected as WORM_FEEBS.AF
This worm injects Ms{two random characters}32.dll into EXPLORER.EXE to hide its process. Once it successfully injects the said file, it then ensures its automatic execution at every system startup. It does the said actions by creating the following registry entries, respectively:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{random CLSID}\InprocServer32
@ = "%System%\Ms{two random characters}32.dll"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\ShellServiceObjectDelayLoad
Ms{two random characters}32.dll = "{random CLSID}"
Furthermore, it adds the following registry keys as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MS{two random characters}\dat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MS{two random characters}\sdat
For Propagation Routines
This worm employs a propagation technique similar to that used by certain WORM_BAGLE variants. Its difference lies in its usage of a malicious JavaScript instead of a Trojan to download copies of itself from a certain location onto the affected system. The said JavaScript is detected by Trend Micro as JS_FEEBS.AF. Once this worm executes, it sends out copies of JS_FEEBS.AF to target recipients via email using its own Simple Mail Transfer Protocol (SMTP) engine. Through this SMTP engine, it is able to easily send email messages even without using other mailing applications.
The said email message it sends out has the following details:
From: Id{random number} (appended with any of the following)
• @aol.com
• @gmail.com
• @hotmail.com
• @msn.com
• @yahoo.com
Subject: (any combination from the three sets listed below)
Set 1
• Encrypted
• Extended
• Protected
• Secure
Set 2
• E-mail
• Html
• Mail
• Message
Set 3
• {none}
• From {random domain name} user
• Service
• Service {random domain name}
• System
Message body:
Subject: happy new year
ID: {random}
Password: {random}
Message is attached.
Best Regards,
{Same name as the From field},
{Same domain name as the From field}
Attachment: (any of the following)
• data.zip
• mail.zip
• message.zip
• msg.zip
The attachment of the spammed email message contains an .HTA file, which is actually a copy of JS_FEEBS.AF. The name of the said .HTA file is any combination from the two sets listed below:
* Set 1
o Encrypted
o Extended
o Protected
o Secure
* Set 2
o E-mail
o Html
o Mail
o Message
This worm also drops any of the following .ZIP archives into folders containing the string DOWNLOADS:
* 3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
* ACDSee_9_new!_full+crack.zip
* Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
* Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
* Ahead_Nero_8_new!_full+crack.zip
* DivX_7.0_new!_full+crack.zip
* ICQ_2006_new!_full+crack.zip
* Internet_Explorer_7_new!_full+crack.zip
* Kazaa_4_new!_full+crack.zip
* Longhorn_new!_full+crack.zip
* Microsoft_Office_2006_new!_full+crack.zip
* winamp_5.2_new!_full+crack.zip
The abovementioned .ZIP archives contain the following files:
* webinstall.exe - copy of this worm
* {File name of the .ZIP file without the string _new!_full+crack}.txt - a non malicious text file
This worm is working under the assumption that folders with the said string are folders shared within peer-to-peer (P2P) networks. By dropping its copies on the said locations, it may extend its propagation reach to other targets systems within the affected P2P network. Note that the file names used by this worm's dropped copies are like the names of popular applications, which may trick an affected user into thinking that the said files are not threats to the system.
Affected Platforms
This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003. The worm was detected by Trend-Micro in January of this year.
polonus
-
Well I have just done a search for FEEBS in the avast virus database and it returns 60 hits, the last 4 being feebs-dll-gen, feebs-gen, feebs-gen3 and feebs-gen3.
So it looks like some generic detections are also being thrown into the mix, these gen signatures being added on 20/04/2006
-
Avast's generic detection on FEEBs variant's isn't best yet ...
i have over 2 dozens which are undetected so far by avast ... (all I sent to Alwil already in past)
-
Hi Dwarden,
Well there is something going on like with the MyTob family of viruses, Feebs at that time had over 30 variants, read what idefense had to say regarding the Feebs family:
http://www.idefense.com/intelligence/maliciouscode/display.php?id=396
Variants change every fortnight, and are re-packed:
http://www.virusbuster.hu/en/viruslab/descriptions/polyhtml.d
Actually all the feebs variants are cleverly obfuscated javascript
using VSB script on the bits and pieces, how it was done you can read in detal from here (I did not put a direct link here, google for it) at: (asert.arbornetworks.com/feed/+feebs+variants)
polonus
P.S. Funny we see a re-surfage of the polymorphic viruses, or have they ever been away?
-
there are at least 40 feebs variants and each is repacked in over than dozen executable packers etc ...
so yes they pain in ass ...
-
I tried out antivir while avast was throwing its recent wobbly and it picked up my Feebs sample with only a Feebs/gen definition.
-
there are at least 40 feebs variants and each is repacked in over than dozen executable packers etc ...
Well with 60 avast signatures and 4 of those generic for feebs variants plus the couple of dozen (avast doesn't catch) that you have that is at the very least 84 not counting what variants that the gen signatures do catch.
So they are a quickly replicating variants, as you say a pain in the rear.
-
Hi DavidR and also very interesting for FwF,
Go to this link: http://asert.arbornetworks.com/?s=feebs+variants&x=0&y=0
Here you can read how the feebs variants are being constructed.
Again here we must thank the developer of NoScript in the Mozilla type of browser. A deadly concoction here of malicious JavaScript and VB. Here is a particular Feebs variant signature for ClamWin:
JS.Feebs-C.variant-ec:3:*:756e6573636170652822(253636|66)(253735|75)(253645|6e)(253633|63 \ So like this there must be a couple of dozen more.
polonus
-
Yes very interesting.
-
Got a new variant in my mailbox today. Symantec missed it again. Antivir and AVG's generic definitions picked it up but avast! missed it.
(http://donaldbroatch.users.btopenworld.com/feebs.jpg)
-
Got a new variant in my mailbox today. Symantec missed it again. Antivir and AVG's generic definitions picked it up but avast! missed it.
Will I see the day that NOD32 and Kaspersky do not detect a malware? ;D
-
well i yesterday got another new variant (not subvariant) ... oh well :)
-
I think I was wrong to call the file I got a new variant: rather each HTML file sent out is different because this is a polymorphic worm.
In another thread we read that avast! has successfully identified the polymorphic virus Polipos: a generic detection of this worm (which Antivir and AVG manage) is needed.
No rest for the virus analyst!!
-
Well, Ewido added this sample after 24 hours. If it is a polymorphic worm and every sample is different, then adding a definition for every sample submitted rather than developing a generic definition may not be particularly effective in preventing infection, but it is impressive that they can respond so quickly...
-
and another two variants EG and GM ...
and You know what sux, Antivir with last database update 20.4.2006 is able detect most of them
yes Avast! not , oh well :(
-
Igor did some good work in detecting the polymorphic virus Polipos:
http://forum.avast.com/index.php?topic=20859.0
But at the moment both Antivir and AVG's generic detections are managing to catch Feebs, and avast! is not doing so well.
-
todays 0619-2 added some Feeb variants and was able detect 3 from my list ...
yet there are still 4 variants (28 different files) undetected ...
-
avast! is now on a par with CAT-QuickHeal, F-Prot and UNA:
(http://donaldbroatch.users.btopenworld.com/datazip2.jpg)
What happened guys? ??? :'(
-
Still undetected. :-[
Should I send this again? ???
(http://donaldbroatch.users.btopenworld.com/feebs2.jpg)
-
Still undetected. :-[
Should I send this again? ???
Frank... you know this won't be necessary.
I wish they take your sample in account and improve detection :-X
-
Well, I've just sent the original Feebs plus the later variant (which also remains undetected) again. I hope avast! can add them, or preferably improve its generic detection, because it seems to be way behind almost every other AV.
-
Well, 10 months now, and still not detected. Is this a record?
The only change is that AntiVur no longer detects this file. Weird!
-
Finally got a detection today for one of these files:
(http://donaldbroatch.users.btopenworld.com/feedsdetected.png)
However, the other file is still missed.
I'll try submitting it through the chest and see if we can better 10 months before detection this way. :P
-
Hmmm... is this an occasion to celebrate or to be worried with?
-
It does also make one wonder how avast! passes the VB100% test - which claims to test the ability of antivirus software to detect in-the-wild viruses - so frequently, especially when avast! failed to detect a spreading virus for as long as 10 months.