JS/Fortnight, EML/Fortnight Worm !

Discussion in 'malware problems & news' started by Technodrome, May 18, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    NAME: Fortnight
    ALIAS: JS/Fortnight, EML/Fortnight

    JS/Fortnight is a slow mass mailer written in JavaScript which spreads in HTML formatted messages.

    VARIANT: Fortnight.A


    The infected email message contains a hidden link to a web page. This page contains the actual worm code. When the user opens the message, the link activates using an invisible iframe.

    The code on the web page activates by using the Microsoft VM ActiveX vulnerability. This vulnerability has been fixed, and a patch is available from Microsoft:

    http://www.microsoft.com/technet/security/bulletin/ms00-075.asp

    The code uses cookie "TF" as an infection marker. If the cookie is not present, the worm changes browser's startup page via registry to an adult web site.

    Next the worm replaces the default Outlook Express 5.0 signature to a file "C:\Program Files\sign.htm". This file contains the hidden iframe that activates the link silently. After this all messages sent by the user with Outlook Express contain the hidden link to the malicious web page.

    Then the worm adds three links to the Favorites folder, as follows:


       SEXXX. Totaly Teen
       Make BIG Money
       6544 Search Engines Submission

    Finally the worm sets two cookies, "TF" and "RF". The first cookie expires after 14 days and the second one expires after one day.

    The web page where JS/Fortnight.A@m was available, is already closed, which means this variant cannot infect any longer.

    source: http://www.f-secure.com


    Technodrome
     
  2. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    What the hell is the point?  What do these people think they're accomplishing by this?  Oh, it beats me...there are so many other things inventive minds could do.

    What a waste of talent.
     
  3. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Virii coders are getting smarter...  :-/

    Technodrome
     
Loading...
Thread Status:
Not open for further replies.