At around 11 PM (GMT+8) yesterday, our e-mail honeypots started to capture a moderate amount of FEEBS malware. Below are two examples of how this FEEBS e-mail looks.

The e-mail subjects uses the phrase Your help is necessary and I have found a page about you as base subjects. The spammer then changes the spelling of the e-mail subjects, probably in an attempt to make e-mail blocking more difficult, so e-mail subjects will look like Your help is nceessary or I have found ap age about oyu instead.

All e-mail attachments arrive in .ZIP format and is commonly with the filename document.zip, mail.zip, message.zip, setup.zip, information.zip or data.zip. The archived FEEBS file however has various filenames and seems to be composed of random letters with random lengths.

Aside from the attachment file, the spammed e-mail also has a link to http://qu-a.nm.ru, which is at first glance, seems to be a pump and dump site.

However, clicking on Download GEO System link, the file setup.zip (containing setup.exe) will be downloaded.

Setup.exe pretends to be an installer file for bogus company QU-A Trading Systems, and gives the “option” to install using several languages.

To complete its guise, setup.exe displays an Installation Completed message box, but instead of installing a “Trading Systems” software, a copy of WORM_FEEBS and JS_FEEBS are installed.

As usual, we advise our beloved readers to NOT execute files or click on links coming from unsolicited e-mail.