Another new variant of JS_FEEBS is making the round in the internet. It arrives as an email attachment with the filename message.zip and contains an HTML file named, “Secure E-mail File.hta”. The subject of the email is “Secure Message from HotMail.com user.”.
It also attempts to access the following web sites to download malicious files to the affected system. These files are encoded using base64 (b64) and when decoded will leave two distinct copies.
- http://qnx.{blocked}.ru/d.php
- http://ab.{blocked}.com/d.c
- http://hzs.{blocked}.ru/d.c
- http://users.{blocked}.net/xup/d.txt
- http://zto.{blocked}.ru/m.txt
These two distinct copies are the worm components which Trend detects as WORM_FEEBS.N. Upon downloading and decoding of WORM_FEEBS.N, this will be executed on the affected system thus, compromises more the victim’s machine.
Trend has given the detection name, JS_FEEBS.M, to the malicious HTML file, “Secure E-mail File.hta”. The virus information and the solution to protect yourself for this threat can be found in the Virus Encyclodpedia.
JS_FEEBS.M’s Description
JS_FEEBS.M’s Solution