Virus Profile: JS/Fortnight.c@M

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 5/29/2003
Date Added: 5/29/2003
Origin: Unknown
Length: Varies
Type: Virus
Subtype: E-mail worm
DAT Required: 4269
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Unusual HTML signature in each email message sent from the infected system.

Methods of Infection

This virus spreads via email. One an infected message is received, additional components are downloaded and the system is configured to be a carrier of the virus. The virus does not contain a damaging payload.

Aliases

JS/Fortnight-F (Sophos), JS_FORTNIGHT.E (Trend)
   

Virus Characteristics

-- Update June 20, 2003 --
This threat was updated to a Low-Profiled risk due to media attention at: https://www.vnunet.com/News/1141755

This virus spreads by inserting a bit of HTML code into every message sent through Microsoft Outlook Express. This is accomplished by creating a new HTML file, and setting it as the default signature file used by Outlook Express. This virus exploits an Internet Explorer vulnerability in order to propagate. For more information on this exploit, see Exploit-ByteVerify.

Overview
The virus is received as HTML code in any email message. This code uses an IFRAME tag with the SRC set to a remote website. When the message is accessed, that remote site is contacted. The site contains encoded JavaScript, which loads an APPLET that carries the exploit. On an unpatched system, the exploit makes the following changes.

Installation of the worm
An HTML signature file [s.htm], containing the IFRAME signature is written to the WINDOWS directory. Registry changes are made to set this HTML file as the default signature.

  • HKEY_CURRENT_USER\Identities\%current user id%\Software\Microsoft\
    Outlook Express\5.0\signatures "Default Signature" = 0
  • HKEY_CURRENT_USER\Identities\%current user id%\Software\Microsoft\
    Outlook Express\5.0\signatures\00000000 "file" = C:\WINDOWS\s.htm
  • HKEY_CURRENT_USER\Identities\%current user id%\Software\Microsoft\
    Outlook Express\5.0\signatures\00000000 "name" = Signature #1
  • HKEY_CURRENT_USER\Identities\%current user id%\Software\Microsoft\
    Outlook Express\5.0\signatures\00000000 "text" = ""
  • HKEY_CURRENT_USER\Identities\%current user id%\Software\Microsoft\
    Outlook Express\5.0\signatures\00000000 "type" = 2
After these changes are made, each message that is sent from the infected system will contain the infectious signature.

Manipulating Internet Explorer
The worm makes several Internet Explorer setting changes, designed to drive the user to the virus author's website, seemingly for advertisement purposes. Such program tactics used for this purpose are sometimes refered to as "scumware":

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search "CustomizeSearch"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search "SearchAssistant"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main "Search Page"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix "(Default)"
The registry is altered to suppres the display of the Advanced and Security Internet Options settings.
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel "AdvancedTab"
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel "SecurityTab"

Making System Changes
The HOSTS file is overwritten to redirect users to the author's website whenever one of hundreds of addresses are entered

  • c:\WINDOWS\hosts (11,737 bytes)

Creating Shortcuts
The shortcuts are created in the favorites folder for the author's site:

  1. c:\WINDOWS\Favorites\Nude Nurses.url
  2. c:\WINDOWS\Favorites\Search You Trust.url
  3. c:\WINDOWS\Favorites\Your Favorite Porn Links.url
   

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95