JS.Fortnight

JS.Fortnight is a worm that spreads from a website that exploits the Microsoft Virtual Machine com.ms.activeX.ActiveXComponent Arbitrary Program Execution Vulnerability (Microsoft Security Bulletin MS00-075, Bugtraq ID 1754).

When a user visits the website using an unpatched version of Internet Explorer, the worm checks for the existence of the cookie "TF", which is used as an infection marker. If this cookie does not exist, the worm sets the user's Internet Explorer and Netscape Navigator home pages to an adult website by modifying the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page = http://www.rawtocash.net/adv/sex.htm

HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Main\Home Page = http://www.rawtocash.net/adv/sex.htm

It also creates the following three links in the Internet Explorer Favorites or Netscape Navigator Bookmarks folder:
SEXXX. Totaly Teen http://www.rawtocash.net/adv
Make BIG Money http://www.rawtocash.net
6544 Search Engines Submission http://www.rawtocash.net/submit

Next, the file C:\Program Files\sign.htm will be created and set as the Outlook Express 5.0 signature file by creating and modifying registry entries:
HKEY_CURRENT_USER\Identities\[Default User ID]\Software\Microsoft\Outlook Express\5.0\signatures\10101010\file = c:\Program Files\sign.htm

HKEY_CURRENT_USER\Identities\[Default User ID]\Software\Microsoft\Outlook Express\5.0\signatures\10101010\name = signature

HKEY_CURRENT_USER\Identities\[Default User ID]\Software\Microsoft\Outlook Express\5.0\signatures\10101010\type = 2

HKEY_CURRENT_USER\Identities\[Default User ID]\Software\Microsoft\Outlook Express\5.0\Signature Flags = 3

HKEY_CURRENT_USER\Identities\[Default User ID]\Software\Microsoft\Outlook Express\5.0\signatures\Default Signature = 10101010

This causes a hidden iframe containing a link to the worm's host web page to be included in all outgoing email that the user sends through Outlook Express. When another user receives the email message, the hidden iframe automatically opens the worm's webpage.

The worm then sets two cookies - "RF" and "TF". The "RF" cookie expires after one day, while the "TF" cookie expires after 14 days.

The original website that hosted the worm has been taken down, however, the worm's author could easily find a new host site and modify the worm's code appropriately.

Summary