JS/Fortnight, EML/Fortnight Worm !

NAME: Fortnight
ALIAS: JS/Fortnight, EML/Fortnight

JS/Fortnight is a slow mass mailer written in JavaScript which spreads in HTML formatted messages.

VARIANT: Fortnight.A


The infected email message contains a hidden link to a web page. This page contains the actual worm code. When the user opens the message, the link activates using an invisible iframe.

The code on the web page activates by using the Microsoft VM ActiveX vulnerability. This vulnerability has been fixed, and a patch is available from Microsoft:

http://www.microsoft.com/technet/security/bulletin/ms00-075.asp

The code uses cookie "TF" as an infection marker. If the cookie is not present, the worm changes browser's startup page via registry to an adult web site.

Next the worm replaces the default Outlook Express 5.0 signature to a file "C:\Program Files\sign.htm". This file contains the hidden iframe that activates the link silently. After this all messages sent by the user with Outlook Express contain the hidden link to the malicious web page.

Then the worm adds three links to the Favorites folder, as follows:


   SEXXX. Totaly Teen
   Make BIG Money
   6544 Search Engines Submission

Finally the worm sets two cookies, "TF" and "RF". The first cookie expires after 14 days and the second one expires after one day.

The web page where JS/Fortnight.A@m was available, is already closed, which means this variant cannot infect any longer.

source: http://www.f-secure.com


Technodrome

 

What the hell is the point?  What do these people think they're accomplishing by this?  Oh, it beats me...there are so many other things inventive minds could do.

What a waste of talent.

 

Virii coders are getting smarter...  :-/

Technodrome