Threat Description

Fortnight

Details

Aliases: Fortnight
Category: Malware
Type: Worm
Platform: W32

Summary



JS/Fortnight is a slow mass mailer written in JavaScript which spreads in HTML formatted messages.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



The infected email message contains a hidden link to a web page. This page contains the actual worm code. When the user opens the message, the link activates using an invisible IFRAME.

The code on the web page activates by using the Microsoft VM ActiveX vulnerability. This vulnerability has been fixed, and a patch is available from Microsoft:

http://www.microsoft.com/technet/security/bulletin/ms00-075.asp

The code uses cookie "TF" as an infection marker. If the cookie is not present, the worm changes browser's startup page via registry to an adult web site.

Next the worm replaces the default Outlook Express 5.0 signature to a file "C:\Program Files\sign.htm". This file contains the hidden iframe that activates the link silently. After this, all messages sent by the user using Outlook Express contains the hidden link to the malicious web page.

The worm then adds three links to the Favorites folder, as follows:

  • SEXXX. Totaly Teen
  • Make BIG Money
  • 6544 Search Engines Submission

Finally, the worm sets two cookies, "TF" and "RF". The first cookie expires after 14 days and the second one expires after one day. The web page where JS/Fortnight.A@m was available, is already closed, which means this variant cannot infect any longer.

Fortnight.B

Similar to JS/Fortnight.A, the JS/Fortnight.B infected messages contain a hidden IFRAME to a web site that will redirect to a page that contains the worm code that executes using the Microsoft VM ActiveX vulnerability.

When executed, the worm creates a file "s.htm" into the Windows installation directory and alters the signature settings of Outlook Express 5.0 so that every message sent by the user will contain the IFRAME link.

The worm also creates the file "hosts" into the Windows installation directory, which contains the following comments in the beginning:

# Copyright (c) 1998 Microsoft Corp.
 #
 # end of file.

This file, in Windows 95, 98 and ME, will cause the connections to certain web sites to be redirected to one of the two IP addresses set by the worm instead of their real addresses.

Fortnight.C

When a user opens or views an infected email, the invisible frame embedded into the message will be activated. This causes the browser to connect to a web site that contains a small javascript code. The javascript code will in turn download and activate the Java applet ("a.jar") that contains this worm code.

When the .JAR file is executed, it uses Microsoft Internet Explorer VerifierBug vulnerability to get full privileges by escaping the Java security, and execute its code. The JAR file will then alter the Internet Explorer search settings and add three pages into the Favorites folder.

Furthermore, the worm disables the Internet Explorer's Security and Advanced tabs from the settings dialog.

The .JAR will then drop two files, "hosts" and "s.htm" to the Windows installation directory. It modifies the registry so that Outlook Express will use the "s.htm" file as the default signature. The "hosts" file contains a set of domain names that will be redirected to a different web site instead of the real addresses. The redirection works only in Windows 95, 98 and ME. The "hosts" file has to be removed manually from the infected system.

Additionally, the changes into Internet Explorer settings will cause the web sites accessed via Internet Explorer without specifying the protocol (http://) will be redirected to another web site. This web site will then redirect the browser to the correct address.

Fortnight.D

This variant is functionally similar to the Fortnight.C.

In Fortnight.D, the Outlook Express signature file "s.htm" is an encoded script. When the script is executed, the browser connects to the web site causing the download and execution of the Java applet. This applet has been renamed to "c.jar".

Additionally, this variant adds five buttons to the Internet Explorer toolbar and creates an empty "hosts" file.


Variant:Fortnight.A

The infected email message contains a hidden link to a web page. This page contains the actual worm code. When the user opens the message, the link activates using an invisible iframe. The code on the web page activates by using the Microsoft VM ActiveX vulnerability. This vulnerability has been fixed, and a patch is available from Microsoft: http://www.microsoft.com/technet/security/bulletin/ms00-075.asp The code uses cookie "TF" as an infection marker. If the cookie is not present, the worm changes browser's startup page via registry to an adult web site. Next the worm replaces the default Outlook Express 5.0 signature to a file "C:\Program Files\sign.htm". This file contains the hidden iframe that activates the link silently. After this all messages sent by the user with Outlook Express contain the hidden link to the malicious web page. Then the worm adds three links to the Favorites folder, as follows: SEXXX. Totaly Teen Make BIG Money 6544 Search Engines Submission Finally the worm sets two cookies, "TF" and "RF". The first cookie expires after 14 days and the second one expires after one day. The web page where JS/Fortnight.A@m was available, is already closed, which means this variant cannot infect any longer.


Variant:Fortnight.B

Similar to JS/Fortnight.A, the JS/Fortnight.B infected messages contain a hidden IFRAME to a web site that will redirect to a page that contains the worm code that executes using the Microsoft VM ActiveX vulnerability. When executed, the worm creates a file "s.htm" into Windows installation directory and alters the signature settings of Outlook Express 5.0 so that every message sent by the user will contain the IFRAME link. The worm also creates file "hosts" into the Windows installation directory, that contains the following comments in the beginning: # Copyright (c) 1998 Microsoft Corp. # # end of file. This file, in Windows 95, 98 and Me, will cause that connections to certain web sites will be redirected to one of the two IP addresses set by the worm instead of their real addresses.


Variant:Fortnight.C

When a user opens or views an infected email, the invisible frame embedded into message will be activated. This causes the browser to connect a web site that contains a small javascript code. The javascript code will in turn download and activate the Java applet ("a.jar") that contains the worm code. When the JAR file is executed it uses Microsoft Internet Explorer VerifierBug vulnerability to get full privileges by escaping the Java security, and execute its code. Then the JAR will alter the Internet Explorer search settings and add three pages to the Favorities folder. Further, the worm disables Internet Explorer both Security and Advanced tabs from the settings dialog. The JAR will then drop two files, "hosts" and "s.htm" to the Windows installation directory. It modifies the registry so that Outlook Express will use the "s.htm" file as the default signature. The "hosts" file contains a set of domain names that will be redirected to a different web site instead of the real addresses. The redirection works only in Windows 95, 98 and Me. The "hosts" file has to be removed manually from the infected system. Additionally the changes into Internet Explorer setting will cause that the web sites accessed via Internet Explorer without specifying the protocol (http://) will be redirected to another web site. This web site will then redirect the browser to correct address. Further information about the vulnerability in the Microsoft Java VM, including a fix, is available at: http://www.microsoft.com/technet/security/bulletin/ms03-011.asp


Variant:Fortnight.D

This variant is functionally similar to the Fortnight.C. In Fortnight.D, the Outlook Express signature file "s.htm" is an encoded script. When the script is executed, the browser connects to the web site causing the download and execute of the Java applet. This applet has been renamed to "c.jar". Additionally this variant adds five buttons to the Internet Explorer toolbar and creates an empty "hosts" file. Further information about the vulnerability in the Microsoft Java VM, including a fix, is available at: http://www.microsoft.com/technet/security/bulletin/ms03-011.asp



Detection


F-Secure Anti-Virus detects JS/Fortnight as Exploit.Applet.ActiveXComponent




SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More