Aliases: Win32/Mocalo, W32/Kmax, Win32.HLLM.Graz, W32.Feebs, JS/Feebs
Variants: W32.Feebs.B@mm, JS_FEEBS.A.

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 07 Jan 2006
Damage: Medium

Characteristics: W32.Feebs is a worm that spreads itself through mass-mailing in the compromised computer’s file-sharing networks. It lowers the security settings on the compromised computer. This worm was first seen on December 22, 2005. Once it is executed, it creates certain registry entries so that it runs every time Windows starts. The worm spreads through email and P2P software or what is known as peer to peer sharing networks. It drops HTML application file. As it touches down the computer, it searches for C to Z drives and copies itself to folders containing the string "share", "upload" or "sharing”. This allows the worm to propagate using file sharing networks like Kazaa and imesh. It also attempts to kill security programs in the infected system. This also has backdoor abilities and it opens HTTP port 80. It allows hackers to upload and steal files from the infected computer. Using an FTP remote server, this worm may steal private information from the compromised computer.

More details about W32.Feebs

This worm may steal confidential email messages and/or usernames and passwords and sell them in the Internet. The worm uses different instant messaging platforms to send and drop a variant of this worm. It arrives as an email attachment with an HTA extension. It uses rootkit techniques to avoid detection. It also disables security related programs. You may see emails named as protect, secur, security and securmail which end at @yahoo.com, @gmail.com, @hotmail.com, @msn.com and @aol.com.Once executed, this worm drops a JavaScript that downloads a copy of the worm executable. All platforms of windows are vulnerable to this worm, may it be Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP.

This worm also searches for the folders containing the string share. When the worm is successful, it will add these following files on the compromised computer: ”3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip,”Microsoft_Office_2006_new!_full+crack.zip,”ACDSee_9_new!_full+crack.zip,”Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip ,”Adobe_Photoshop_10_(CS3)_new!_full+crack.zip DivX_7.0_new!_full+crack.zip,“Ahead_Nero_8_new!_full+crack.zip ICQ_2006_new!_full+crack.zip.”Kazaa_4_new!_full+crack.zip,”Internet_Explorer_7_new!_full+crack.zip,”Longhorn_new!_full+crack.zip” and “winamp_5.2_new!_full+crack.zip.” It also adds an encoded file “userinit.exe.”