Looks like a new variant of W32/Feebs is making the rounds. Fellow handler Bojan has spent quite some time with de-obfuscating the JavaScript and VB code, and we're still looking at what it does besides downloading base64 encoded versions of W32/Feebs. You might want to zapp access to *.coconia.net / *.by.ru / *.kazan.bz / *.t35.com / *.freecoolsite.com / *.nm.ru until the AV vendors have the patterns lined up.
If some of these domains sound vaguely familiar.... http://isc.sans.org/diary.php?storyid=1035 Update 1023 UTC: Looks like it spreads as an email with subject "Secure Message from GMail.com user", and contains a ZIP attachment (data.zip in the sample at hand), which in turn contains a file "Encrypted Html File.hta", which contains the heavily obfuscated Javascript exploit code that triggers the W32/Feebs download from the above sites. Update 1700 UTC: AV detection is available by now, at least from some of the "bigger" vendors. BitDefender|7.2|02.22.2006|Win32.Worm.Feebs.1.Gen Kaspersky|4.0.2.24|02.22.2006|Worm.Win32.Feebs.cb McAfee|4703|02.22.2006|W32/Feebs.gen@MM Panda|9.0.0.4|02.22.2006|Suspicious file Sophos|4.02.0|02.22.2006|W32/Feebs-Gen Symantec|8.0|02.22.2006|W32.Feebs |
Daniel 385 Posts ISC Handler Feb 22nd 2006 |
Thread locked Subscribe |
Feb 22nd 2006 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!