Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: W32/Feebs again - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
W32/Feebs again
Looks like a new variant of W32/Feebs is making the rounds. Fellow handler Bojan has spent quite some time with de-obfuscating the JavaScript and VB code, and we're still looking at what it does besides downloading base64 encoded versions of W32/Feebs. You might want to zapp access to * / * / * / * / * / * until the AV vendors have the patterns lined up.

If some of these domains sound vaguely familiar....

Update 1023 UTC: Looks like it spreads as an email with subject "Secure Message from user", and contains a ZIP attachment ( in the sample at hand), which in turn contains a file "Encrypted Html File.hta", which contains the heavily obfuscated Javascript exploit code that triggers the W32/Feebs download from the above sites.

Update 1700 UTC: AV detection is available by now, at least from some of the "bigger" vendors.
Panda||02.22.2006|Suspicious file


385 Posts
ISC Handler
Feb 22nd 2006

Sign Up for Free or Log In to start participating in the conversation!