The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – New email virus making the rounds

Handler’s Diary January 11th

New email virus
making the rounds

Published: 2006-01-11,
Last Updated: 2006-01-11
22:28:25 UTC by Daniel Wesemann (Version: 1)
We are currently analyzing a copy of .. something.
Attachment name “”, detection by AV is still thin to nonexistent.
When run, the code tries to pull additional files from web servers in Russia, so
if you have a chance, you might consider blocking the following TLDs on your
proxy / / / / /

2200UTC: contains
a file named “Secure E-mail File.hta”, which is according to
current Virustotal output only detected by Panda and Kaspersky, the latter calls
it Worm.Win32.Feebs.k . Samples we’ve seen come in an email with subject “Secure
Message from user”. The HTA file is nicely obfuscated, it has 2
obfuscation functions, one being easy unescape, while the other one is a bit
more complex. Once it is executed by a user, it will run in the local zone, so
it can use various ActiveXObjects. It will try to download executables from 5
web sites (domains listed above), all of which are up and working at this

MD5 sums for the original exploit file and the two variants of
EXEs it downloads when run:
Secure E-mail File.hta


Analysis and write-up by fellow handler Bojan
Zdrnja. Thanks! 🙂

SANS – Internet Storm
Center – Cooperative Cyber Threat Monitor And Alert System


January 14, 2006 - Posted by | Antivirus News, Virus Outbreaks

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: