Feebs variant threatening users

A new variant of the W32/Feebs worm is in the wild, security firms warned this week.

The new version of the virus, which contains a ZIP attachment and claims to be a secure email message, contains exploit code that triggers a download from a number of malicious sites, the SANS Institute's Internet Storm Center said Wednesday.

The organization warned readers on its website to beware of sites associated with the virus.

"You might want to zapp access,,,,, until the anti-virus vendors have the patternes lined up," said Daniel Wesemann on the Internet Storm Center site.

Security firm Aladdin identified a new variant of the worm earlier this month, calling it JS.Feebs, that generally arrived as an email but could also exist in websites displaying fake loading screens that look like several popular search engines.

Firms warned that the file, when modified, can override the default DNS servers, thus allowing users' internet browsers to receive one address and lead to another, leading users to a spoofed site when they try to access eBay. After a user enters personal information, he or she is taken to the actual eBay website, completely unaware that sensitive information was stolen.

The SANS Institute said the newest version of the worm claims to be from a Gmail user.

"Looks like it spreads as an email with subject 'Secure Message from user.' And contains a file 'Encrypted Html File.hta,' which contains the heavily obfuscated Javascript exploit code that triggers the W32/Feebs download from (associated) sites."

A number of anti-virus companies can detect the worm, including BitDefender, Kaspersy, McAfee, Panda, Sophos and Symantec, the institute said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.