JS/Flea.A is a slow email worm that operates as a signature in an HTML formatted mail. To hide itself and to make analysis more difficult, Flea uses several encryption layers.
Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
F-Secure has received reports of this worm from Asia and Europe.
Variant:Flea.A, JS/Flea.A, VBS/Flea.A.Dropper, REG/Flea.A
The Visual Basic script code changes Internet Explorer settings so, that any URL entered into address bar without a specific protocol prefix (usually "http:" part in the beginning of the URL) will be directed into worm code, causing that the system will be reinfected.
The worm also attempts to add a number of buttons to Internet Explorer with labels "SEARCH", "ANTIVIRUS", "PILLS" and "SECURITY". Selecting any of these buttons will cause the worm to reinfect the system.
The worm drops two files into Windows installation directory, "c****" and "c****.htm" where **** is a number based on the current date. These first file contain the changes made to the registry and the second file contains the actual signature file used by the worm.
Finally the worm will alter the signature and stationary settings of both Outlook Express 5.x and 6.x. After this all email messages sent from an infected system will contain the hidden link to the worm code.