W32/Feebs.E is a worm. This worm is a variant of W32/Feebs.A. The worm will infect Windows systems. The worm spreads through email and P2P software.

The infected mail 'From' address prefix will be any one of the following string;

protect
secur
security
securmail

the suffix after '@' character will be any one of the following domain name;

@yahoo.com
@gmail.com
@hotmail.com
@msn.com
@aol.com

Example of From Address of the infected mail will be secur@msn.com.

The subject of the infected mail will be a combination of the following three strings.

First string will be any one of the following;

Secure
Extended
Encrypted
Protected

Second string will be any one of the following;

E-Mail
Mail
Html
Message

Third string will be blank or any one of the following;

System
Service
Service ([domain name])
from [domain name] user.

Fourth string will be any one of the following;

Best Regards
Thank you
Sincerely

Example of infected mail Subject will be Encrypted Message System (MSN.com).

The body of the infected mail will be any one of the following;

You have received [first string] [second string] from [domain name] user.
This message is addressed personally for you.

To decrypt your message use the following details:
ID: [random digits]
Password: [random characters]

Keep your password in a safe place and under no circumstances give it to ANYONE.

[first string] [second string] and instruction is attached.
[fourth string]
[first string] [second string] [third string],

[domain name]

Example of the infected mail Body will be;

You have received Protected Mail from MSN.com user.
This message is addressed personally for you.
To decrypt your message use the following details:

ID: 24405
Password: vatbsiggq

Keep your password in a safe place and under no circumstances give it
to ANYONE.

Protected Mail and instruction is attached.

Thank you,
Encrypted Message System,
MSN.com

The infected attachment will be any one of the following;

msg.zip
message.zip
data.zip
mail.zip

The attached zip file contains a .hta file.

It downloads base-64 encoded file from any one of the following;

qnx.1gb.ru/[BLOCKED]/d.php
ab.t35.com/[BLOCKED]/d.c
hzs.nm.ru/[BLOCKED]/d.c
users.cjb.net/[BLOCKED]/xup/d.txt
zto.h16.ru/[BLOCKED]/m.txt

It extracts Windows executable file from base-64 encoded file and saves it as C:\recycled\userinit.exe.

Upon execution, the worm copies itself as ms[random characters].exe and ms[random characters]32.dll.

It also searches for the folders containing the string share. If it finds the folder it drops the following files in the folder.

3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Longhorn_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip

This worm first appeared on January 12, 2006.

 Other names of W32/Feebs.E Worm:

This Worm is also known as W32.Feebs.E@mm.