Category :


Type :


Aliases :

Flea, FleaJS/Flea, VBS/Flea.A.Dropper, REG/Flea


JS/Flea.A is a slow email worm that operates as a signature in an HTML formatted mail. To hide itself and to make analysis more difficult, Flea uses several encryption layers.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

F-Secure has received reports of this worm from Asia and Europe.

Variant:Flea.A, JS/Flea.A, VBS/Flea.A.Dropper, REG/Flea.A

Flea activates when an infected email message is opened. At this point, the worm connects to a web site in Spain (a private page under, and silently downloads and executes a JavaScript code available in a web site. This JavaScript code will download an another script written in Visual Basic Script and execute it. This code will contain the actual worm code.

The Visual Basic script code changes Internet Explorer settings so, that any URL entered into address bar without a specific protocol prefix (usually "http:" part in the beginning of the URL) will be directed into worm code, causing that the system will be reinfected.

The worm also attempts to add a number of buttons to Internet Explorer with labels "SEARCH", "ANTIVIRUS", "PILLS" and "SECURITY". Selecting any of these buttons will cause the worm to reinfect the system.

The worm drops two files into Windows installation directory, "c****" and "c****.htm" where **** is a number based on the current date. These first file contain the changes made to the registry and the second file contains the actual signature file used by the worm.

Finally the worm will alter the signature and stationary settings of both Outlook Express 5.x and 6.x. After this all email messages sent from an infected system will contain the hidden link to the worm code.