Threat behavior
Trojan:JS/Feebs.gen!D is a Javascript trojan that drops a polymorphic email worm which we detect as Worm:Win32/Feebs.gen. Trojan:JS/Feebs.gen!D also disables Internet Explorer context menus and may rename .EXE and .SYS files found in certain folders on the system.
Trojan:JS/Feebs.gen!D typically arrive as a .ZIP attachment to an e-mail message. The e-mail message is generally short and contains several misspellings, for example:
Subject:
Your help is necessary.
I have fuond a pgae
Message body:
Your hlep is necessary. If you will not help -I a corpse! Oepn a page there all it is written
I have found a page about yuo! I shocked..
Attachment name:
message.zip
information.zip
document.zip
mail.zip
page.zip
data.zip
html.zip
msg.zip
The .ZIP file contains a Javascript Trojan in compiled HTML (.HTA) format. This file contains several layers of obfuscation in an attempt to make analysis difficult. If this file is opened, it performs the following actions:
- Disables Internet Explorer context menus
- Drops a copy of itself as "c:\d\ojmvinstall.exe" and runs this copy
- Drops a copy of itself as %USERPROFILE%\Start Menu\Programs\Startup\ojmvinstall.hta
- May try to rename all files with extension .EXE or .SYS in these folders and subfolders
%ProgramFiles%
<system folder>\drivers\
Prevention
