New Feebs Variant In The Wild

Another new variant of JS_FEEBS is making the round in the
internet. It arrives as an email attachment with the filename
message.zip and contains an HTML file named, “Secure E-mail
File.hta”. The subject of the email is “Secure Message from
HotMail.com user.”.

It also attempts to access the following web sites to download
malicious files to the affected system. These files are encoded
using base64 (b64) and when decoded will leave two distinct
copies.

  • http://qnx.{blocked}.ru/d.php
  • http://ab.{blocked}.com/d.c
  • http://hzs.{blocked}.ru/d.c
  • http://users.{blocked}.net/xup/d.txt
  • http://zto.{blocked}.ru/m.txt

These two distinct copies are the worm components which Trend
detects as WORM_FEEBS.N. Upon downloading and decoding of
WORM_FEEBS.N, this will be executed on the affected system thus,
compromises more the victim’s machine.

Trend has given the detection name, JS_FEEBS.M, to the malicious
HTML file, “Secure E-mail File.hta”. The virus information and the
solution to protect yourself for this threat can be found in the
Virus Encyclodpedia.

JS_FEEBS.M Description
JS_FEEBS.M Solution