The infected email message contains a hidden link to a web page. This page contains the actual worm code. When the user opens the message,
the link activates using an invisible IFRAME.
The code on the web page activates by using the Microsoft VM ActiveX vulnerability. This vulnerability has been fixed, and a patch is available from Microsoft:
The code uses cookie "TF" as an infection marker. If the cookie is not present, the worm changes browser's startup page via registry to an adult web site.
Next the worm replaces the default Outlook Express 5.0 signature to a file "C:\Program Files\sign.htm". This file contains the hidden iframe
that activates the link silently. After this, all messages sent by the user using Outlook Express contains the hidden link to the malicious web
The worm then adds three links to the Favorites folder, as follows:
- SEXXX. Totaly Teen
- Make BIG Money
- 6544 Search Engines Submission
Finally, the worm sets two cookies, "TF" and "RF". The first cookie expires after 14 days and the second one expires after one day. The web page where JS/Fortnight.A@m was available, is already closed, which means this variant cannot infect any longer.
F-Secure Anti-Virus detects JS/Fortnight as Exploit.Applet.ActiveXComponent
Similar to JS/Fortnight.A, the JS/Fortnight.B infected messages contain a hidden IFRAME to a web site that will redirect to a page that contains the
worm code that executes using the Microsoft VM ActiveX vulnerability.
When executed, the worm creates a file "s.htm" into the Windows installation directory and alters the signature settings of Outlook Express 5.0 so that
every message sent by the user will contain the IFRAME link.
The worm also creates the file "hosts" into the Windows installation directory, which contains the following comments in the beginning:
# Copyright (c) 1998 Microsoft Corp.
# end of file.
This file, in Windows 95, 98 and ME, will cause the connections to certain web sites to be redirected to one of the two IP addresses set by the worm
instead of their real addresses.
When the .JAR file is executed, it uses Microsoft Internet Explorer VerifierBug vulnerability to get full privileges by escaping the Java security, and
execute its code. The JAR file will then alter the Internet Explorer search settings and add three pages into the Favorites folder.
Furthermore, the worm disables the Internet Explorer's Security and Advanced tabs from the settings dialog.
The .JAR will then drop two files, "hosts" and "s.htm" to the Windows installation directory. It modifies the registry so that Outlook Express
will use the "s.htm" file as the default signature. The "hosts" file contains a set of domain names that will be redirected to a different web site instead of the real addresses. The redirection works only in Windows 95, 98 and ME. The "hosts" file has to be removed manually from the infected system.
Additionally, the changes into Internet Explorer settings will cause the web sites accessed via Internet Explorer without specifying the protocol (http://) will be redirected to another web site. This web site will then redirect the browser to the correct address.
This variant is functionally similar to the Fortnight.C.
In Fortnight.D, the Outlook Express signature file "s.htm" is an encoded script. When the script is executed, the browser connects to the web site
causing the download and execution of the Java applet. This applet has been renamed to "c.jar".
Additionally, this variant adds five buttons to the Internet Explorer toolbar and creates an empty "hosts" file.