[Virus Alert] 2 new worms found
Worm name: JS_FEEBS.I
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
When installed, this JavaScript downloads a .TXT file from any of the following Web sites:
The downloaded .TXT file is non-malicious but damaged and encrypted. This JavaScript decrypts and saves the said file on the affected system using the file name C:\recycled\userinit.exe.
It copies the saved file in the Windows startup folder and then attempts to execute the said copy. This JavaScript also deletes several registry keys related to other antivirus software applications if found on the affected system. It does this in order to make detecting it harder for a user.
Worm name: JS_FEEBS.M
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This JavaScript is embedded in a malicious Web site and is run on a system when a user visits the said Web site. It may also arrive on the system as an attached .HTML file to an email message manually mass-mailed by a malicious user.
When running on the affected system, it shows a fake hotmail.com loading page that displays a text message saying there is no available connection. It appears to the user that the JavaScript has failed to successfully access the Web page even though it is already downloading an encoded file detected by Trend Micro as WORM_FEEBS.N. It then decodes and executes the said file on the affected system.
The fake hotmail.com loading page, where this JavaScript downloads the WORM_FEEBS.N file may use any of the following URLs:
• user{BLOCKED}b.net/xup/d.txt
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
