Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Flea


Aliases:


Flea
FleaJS/Flea,VBS/Flea.A.Dropper, REG/Flea

Malware
Worm
JS, VBS

Summary

JS/Flea.A is a slow email worm that operates as a signature in an HTML formatted mail. To hide itself and to make analysis more difficult, Flea uses several encryption layers.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

F-Secure has received reports of this worm from Asia and Europe.


Variant:Flea.A, JS/Flea.A, VBS/Flea.A.Dropper, REG/Flea.A

Flea activates when an infected email message is opened. At this point, the worm connects to a web site in Spain (a private page under terra.es), and silently downloads and executes a JavaScript code available in a web site. This JavaScript code will download an another script written in Visual Basic Script and execute it. This code will contain the actual worm code.

The Visual Basic script code changes Internet Explorer settings so, that any URL entered into address bar without a specific protocol prefix (usually "http:" part in the beginning of the URL) will be directed into worm code, causing that the system will be reinfected.

The worm also attempts to add a number of buttons to Internet Explorer with labels "SEARCH", "ANTIVIRUS", "PILLS" and "SECURITY". Selecting any of these buttons will cause the worm to reinfect the system.

The worm drops two files into Windows installation directory, "c****" and "c****.htm" where **** is a number based on the current date. These first file contain the changes made to the registry and the second file contains the actual signature file used by the worm.

Finally the worm will alter the signature and stationary settings of both Outlook Express 5.x and 6.x. After this all email messages sent from an infected system will contain the hidden link to the worm code.



Detection

F-Secure Anti-Virus detects JS/Flea.A with the update released on October 21st, 2003:

Detection Type: PC
Database: 2003-10-21_02



Description Created: Mikko Hypponen, October 23h, 2003
Technical Details: Katrin Tocheva and Sami Rautiainen, October 23h, 2003



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free