Virus.JS.Fortnight

Class Virus
Platform JS
Description

Technical Details

JS.Fortnight is an Internet worm that uses infected emails with hidden links to an Internet Web page from which it downloads its infected code.

Infected messages contain a hidden link to a Web page containing the
worm. When a user opens an infected email message the link opens and downloads the worm’s body and executes it in a hidden frame.

The worm uses the Microsoft VM ActiveX security vulnerability for which Microsoft released a security patch three years ago.
This allows the worm’s code to be executed on the local (victim) computer.

More information about this vulnerability and the patch for it is
available at:
http://www.microsoft.com/technet/security/bulletin/ms00-075.asp

The Fortnight worm uses a cookie named “TF” to mark infected computers. If this
cookie is absent it changes the Internet Explorer default Web page
address to a pornographical site.

Next the worm copies the default signature of Outlook Express 5.0 to the
file C:Program Filessign.htm with the link added to its body.
All messages sent later from an infected computer contain this link.

The Fortnight worm creates 3 links in the “Favorites” folder:

 "SEXXX. Totaly Teen.url"
 "Make BIG Money.url"
 "6544 Search Engines Submission.url"

Fortnight installs two cookies that act as infection marks.

The site that contained the worm’s body was blocked as soon as the worm
appeared in the wild and is still down.


I-Worm.JS.Fortnight.f

The Fortnight.f worm creates 3 links in the “Favorites” folder:

"Nude Nurses.url"
"Search You Trust.url"
"Your Favorite Porn Links.url."