Home / malware JS.Fortnight.B@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
JS.Fortnight.B@mm is also known as S/Fortnight-B, JS/FortNight.B.
Explanation :
The mass-mailer arrives in infected e-mails, that have the signature as a s.htm file, so when the infected e-mail is open, using IFRAME, the virus remotely executes its infector (another html) and infects the current user.
Once run, the virus modifies the registry keys:
HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl PanelSecurityTab=1
HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl PanelAdvancedTab=1
HKLMSOFTWAREMicrosoftWindowsCurrentVersionURLDefaultPrefix= http://www.pixpox.com/cgi-bin/click.pl?url=
This way, any url entered in Internet Explorer will be redirected through the url above.
It drops file s.htm in Windows folder and sets all Outlook signature files to s.htm.
Creates file hosts in Windows folder thus subverting to two IP addresses: 66.159.17.25 and 66.159.16.110 any of the following URLs:
the.sextracker.com
lobby.sexlist.com
in.paycounter.com
adv.sexcounter.com
rd1.hitbox.com
refer.ccbill.com
www.ccbill.com
secure.ibill.com
select.2000charge.com
secure.2000charge.com
www.signup.globill-systems.com
secure.visionbill.net
www.dibill.com
secure.dpbill.com
secure.dutchbilling.com
secure.pswbilling.com
www.maximumcash.com
www.adultrevenueservice.com
www.eroticacash.com
www.oxcash.com
track.oxcash.com
potd.oxcash.com
clicks2.oxcash.com
www.webmastersmakemoney.com
clicks.nastydollars.com
www.lightspeedcash.com
db.fetishcash.com
ctc.amateurpages.com
www2.karupspc.com
www.iteens.com
click.payserve.com
vip.mtree.com
c.fsx.com
adultfriendfinder.com
www.danni.com
network.nocreditcard.com
php.offshoreclicks.com
links.lifetimebucks.com
cgi.gammae.com
click.passiondollars.com
www.fatpockets.com
link.siccash.com
www.clickcash.com
www.scoreland.com
www.makingitpay.com
www.hpic.com
referral.topbucks.com
www.platinumbucks.com
partner.globill-systems.com
www.pornstardollars.com
traffic.acpay.com
www.cashforlink.com
click.silvercash.com
clickcash.webpower.com
www.dollars4babes.com
www.sexfantasyzone.com
www.twistyscash.com
www.freeticketcash.com
www.hawgscash.com
www.freeezinebucks.com
www.nastydollars.com
ads.sexplanets.com
www.deluxepass.com
clicks.oxcash.com
ww2.amateur-pages.com
stats.allliquid.com
secure1.websitebilling.com
www.adultmovienetwork.com
www.totally4freecash.com
network.nocreditcard.com
php.offshoreclicks.com
www.nocreditcard.com
media.fastclick.net
clicks.uni-cash.com
www.clubpix.com
programs.wegcash.com
in.cybererotica.com
www.cybererotica.com
cybererotica.com
dollartraffic.com
www.xxxesscash.com
www.maturemoney.com
www.xpays.com
www.trueclicks.com
www.sexhit.com
www.blacksonblondes.com
partners.hotgold.com
www.thecashzone.com
db.smutcash.com
www.eroticcash.com
home.vividvip.com
www.stiffycash.com
gotd.stiffycash.com
cash.helmy.com
adultmegacash.com
amc2.adultmegacash.com
www.candidclicks.com
clicks.filthyclicks.com
www.eazybucks.com
www.bigpay.com
www.fatclicks.com
stats1.pussypayments.com
www.adultbucks.com
www.babylon-x.com
www.dollartraffic.com
www.tv69.com
ww2.amateur-pages.com
ctc.japanesegirls.com
www.entertainmentcash.com
www.mtreexxx.net
join.pibcash.com
www.n69.com
www.intergal.com
www2.seductiveamateurs.com
porndollar.com
www.porndollar.com
www.albionmedical.com
www.pillscash.com
cart.penispill.com
www.pillsmoney.com
www.pillmedics.com
www.big-penis.com
www.pluspills1.com
www.morepenis.com
www.1shoppingcart.com
www.herbalo.com
www.penilesecrets.com
www.penispill.com
penismedical.net
www.penismedical.net
www.herbalbucks.com
www.vigrx.com
www.rsac.org
www.netnanny.com
www.cyberpatrol.com
www.safesurf.com
www.spyglass.com
www.asacp.org
www.icra.org
www.cybersitter.com
www.surfwatch.com
as well as mt.???.mtree.com where ??? is a number in the range 1..200Last update 21 November 2011
