My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

JS.Fortnight.B@mm

LOW
VERY LOW
6KB
(S/Fortnight-B, JS/FortNight.B)

Symptoms

  • File s.htm in Windows folder containing www.prostol.com
  • File hosts in Windows folder containing 66.159.16.110 and 66.159.17.25
  • Registry key:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\= "http://www.pixpox.com/cgi-bin/click.pl?url="
  • Removal instructions:

    1. If you don't have BitDefender installed click here to download an evaluation version.

    2. Make the following changes in the windows registry:

      Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

      1. Select Run... from Start, then type regedit and press Enter;
      2. Delete the following key:
        [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\= "http://www.pixpox.com/cgi-bin/click.pl?url="]

    3. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with JS.Fortnight.B@mm.

    Analyzed By

    Patrik Vicol BitDefender Virus Researcher

    Technical Description:

    The mass-mailer arrives in infected e-mails, that have the signature as a s.htm file, so when the infected e-mail is open, using IFRAME, the virus remotely executes its infector (another html) and infects the current user.

    Once run, the virus modifies the registry keys:

    HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab=1
    HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\AdvancedTab=1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\= http://www.pixpox.com/cgi-bin/click.pl?url=
    This way, any url entered in Internet Explorer will be redirected through the url above.

    It drops file s.htm in Windows folder and sets all Outlook signature files to s.htm.

    Creates file hosts in Windows folder thus subverting to two IP addresses: 66.159.17.25 and 66.159.16.110 any of the following URLs:

    the.sextracker.com
    lobby.sexlist.com
    in.paycounter.com
    adv.sexcounter.com
    rd1.hitbox.com
    refer.ccbill.com
    www.ccbill.com
    secure.ibill.com
    select.2000charge.com
    secure.2000charge.com
    www.signup.globill-systems.com
    secure.visionbill.net
    www.dibill.com
    secure.dpbill.com
    secure.dutchbilling.com
    secure.pswbilling.com
    www.maximumcash.com
    www.adultrevenueservice.com
    www.eroticacash.com
    www.oxcash.com
    track.oxcash.com
    potd.oxcash.com
    clicks2.oxcash.com
    www.webmastersmakemoney.com
    clicks.nastydollars.com
    www.lightspeedcash.com
    db.fetishcash.com
    ctc.amateurpages.com
    www2.karupspc.com
    www.iteens.com
    click.payserve.com
    vip.mtree.com
    c.fsx.com
    adultfriendfinder.com
    www.danni.com
    network.nocreditcard.com
    php.offshoreclicks.com
    links.lifetimebucks.com
    cgi.gammae.com
    click.passiondollars.com
    www.fatpockets.com
    link.siccash.com
    www.clickcash.com
    www.scoreland.com
    www.makingitpay.com
    www.hpic.com
    referral.topbucks.com
    www.platinumbucks.com
    partner.globill-systems.com
    www.pornstardollars.com
    traffic.acpay.com
    www.cashforlink.com
    click.silvercash.com
    clickcash.webpower.com
    www.dollars4babes.com
    www.sexfantasyzone.com
    www.twistyscash.com
    www.freeticketcash.com
    www.hawgscash.com
    www.freeezinebucks.com
    www.nastydollars.com
    ads.sexplanets.com
    www.deluxepass.com
    clicks.oxcash.com
    ww2.amateur-pages.com
    stats.allliquid.com
    secure1.websitebilling.com
    www.adultmovienetwork.com
    www.totally4freecash.com
    network.nocreditcard.com
    php.offshoreclicks.com
    www.nocreditcard.com
    media.fastclick.net
    clicks.uni-cash.com
    www.clubpix.com
    programs.wegcash.com
    in.cybererotica.com
    www.cybererotica.com
    cybererotica.com
    dollartraffic.com
    www.xxxesscash.com
    www.maturemoney.com
    www.xpays.com
    www.trueclicks.com
    www.sexhit.com
    www.blacksonblondes.com
    partners.hotgold.com
    www.thecashzone.com
    db.smutcash.com
    www.eroticcash.com
    home.vividvip.com
    www.stiffycash.com
    gotd.stiffycash.com
    cash.helmy.com
    adultmegacash.com
    amc2.adultmegacash.com
    www.candidclicks.com
    clicks.filthyclicks.com
    www.eazybucks.com
    www.bigpay.com
    www.fatclicks.com
    stats1.pussypayments.com
    www.adultbucks.com
    www.babylon-x.com
    www.dollartraffic.com
    www.tv69.com
    ww2.amateur-pages.com
    ctc.japanesegirls.com
    www.entertainmentcash.com
    www.mtreexxx.net
    join.pibcash.com
    www.n69.com
    www.intergal.com
    www2.seductiveamateurs.com
    porndollar.com
    www.porndollar.com
    www.albionmedical.com
    www.pillscash.com
    cart.penispill.com
    www.pillsmoney.com
    www.pillmedics.com
    www.big-penis.com
    www.pluspills1.com
    www.morepenis.com
    www.1shoppingcart.com
    www.herbalo.com
    www.penilesecrets.com
    www.penispill.com
    penismedical.net
    www.penismedical.net
    www.herbalbucks.com
    www.vigrx.com
    www.rsac.org
    www.netnanny.com
    www.cyberpatrol.com
    www.safesurf.com
    www.spyglass.com
    www.asacp.org
    www.icra.org
    www.cybersitter.com
    www.surfwatch.com
    as well as mt.???.mtree.com where ??? is a number in the range 1..200