JS/Flea.A is a slow email worm that operates as a signature in an HTML
formatted mail. To hide itself and to make analysis more difficult, Flea
uses several encryption layers.
F-Secure has received reports of this worm from Asia and Europe.
Flea activates when an infected email message is opened. At this point, the
worm connects to a web site in Spain (a private page under terra.es), and
silently downloads and executes a
JavaScript code available in a web site. This JavaScript code will download
an another script written in Visual Basic Script and execute it. This code
will contain the actual worm code.
The Visual Basic script code changes Internet Explorer settings so, that any
URL entered into address bar without a specific protocol prefix (usually
"http:" part in the beginning of the URL) will be directed
into worm code, causing that the system will be reinfected.
The worm also attempts to add a number of buttons to Internet Explorer with
labels "SEARCH", "ANTIVIRUS", "PILLS" and "SECURITY". Selecting any of these
buttons will cause the worm to reinfect the system.
The worm drops two files into Windows installation directory, "c****" and
"c****.htm" where **** is a number based on the current date. These first
file contain the changes made to the registry and the second file contains
the actual signature file used by the worm.
Finally the worm will alter the signature and stationary settings of both
Outlook Express 5.x and 6.x. After this all email messages sent from an
infected system will contain the hidden link to the worm code.
Detection
F-Secure Anti-Virus detects JS/Flea.A with the update released on
October 21st, 2003:
![](/images/pixel.gif"){kind=tracking}
