F-Secure Virus Information Pages : Feebs
Feebs is a family of worms that spread using e-mail or P2P networks. Feebs usually comes as HTML application file (HTA) that installs the worm on infected system. Feebs hides itself using rootkit techniques.
Disinfection Utility
F-Secure Corporation provides the special disinfection utility to clean Feebs infection from a computer. This disinfection utility is called F-Force and it can be downloaded from our web and ftp sites:
ftp://ftp.f-secure.com/anti-virus/tools/f-force.zip
http://www.f-secure.com/tools/f-force.zip
The utility is distributed only in a ZIP archive that contains the following files:
- f-force.exe - the main executable file
- eult.rtf - End User License Terms document
- readme.rtf - Readme file in RTF format
- readme.txt - Readme file in ASCII format
To unpack the archive please use the WinZip or similar archiver.
IMPORTANT! Please make sure that you read the End User License Terms document (Eult.rtf) and the Readme file (either Readme.txt or Readme.rtf) before using the F-Force utility!
The F-Force utility needs the archive with the latest updates in order to function properly. The archive's name is LATEST.ZIP and it should be downloaded and put into the same folder where the F-Force utility is located. This archive with the latest updates can be downloaded from these locations:
http://download.f-secure.com/latest/latest.zip
ftp://ftp.f-secure.com/anti-virus/updates/latest/latest.zip
Please note that the F-Force utility can disinfect only certain malicious programs. Besides the utility does not scan inside archives. So after cleaning a computer with the F-Force utility it is recommended to scan all hard drives with F-Secure Anti-Virus and the latest updates to make sure that no infected files remain there.
A trial version of F-Secure Anti-Virus and the latest updates can be downloaded from F-Secure's website:
http://www.f-secure.com/download-purchase/list.shtml
http://www.f-secure.com/download-purchase/updates.shtml
System installation
When the HTML application file (HTA) is opened, it drops the worm main executable file in 'C:\Command.exe' and executes it. The EXE file drops a file with single letter 'a'-'z' on C-drive and activates it. That file is the worm main DLL component. When active, it creates the following files:
%System%\ms[random]32.dll
%System%\ms[random]32.exe
The main DLL component also creates the following registry values for making sure the worm is activated on system startup:
[HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"%System%\ms[random]32.dll" = "{[random CLSID]}"
[HKML\CLSID\{[random CLSID]}\InprocServer32]
"(default)" = "%System%\ms[random]32.dll"
Spreading
Feebs can spread sending e-mail attachments containing the HTA dropper. The highly polymorphic HTA file is generated each time when the worm sends it. Feebs can also copy itself on shared folders used by some P2P applications.
Payload
Feebs starts HTTP server listening on port 80 for serving infected HTA files. The worm also starts server on random port which allows the attacker to control infected system. The random port is reported back to attacker using ICQ and HTTP. Feebs also tries to disable several security-related applications.
Rootkit functionality
Feebs can hide its files, registry keys and network connections by utilizing rootkit techniques. The worm main DLL component is injected to all running processes and used for hooking the system library functions.
Write-up: Jarkko Turkulainen
Technical Details: Jarkko Turkulainen, January 12, 2006
Description Updated: Alexey Podrezov, February 1, 2006
F-Secure Corporation
|
![](/images/pixel.gif"){kind=tracking}
