Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Fortnight

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

The main action carried out by Fortnight consists of changing the default home page of Internet Explorer and Netscape.

Infection strategy 

In order to carry out its payload, Fortnight performs the following actions:

  • Initially, the Trojan is included in an HTML page.
  • When this page is loaded, the Trojan creates the following files:
  • SIGN.HTM. This file, created in the c:\program files\ directory, is added to the autosignature of Outlook Express outbound messages. In this way, Fortnight attaches the malicious code to every message sent out. SIGN.HTM  opens a link to a pornographic web page which contains the Trojan.

  • TF. This is a cookie. The first time the Trojan is run, it modifies the Internet Explorer and Nescape Navigator home pages to a web page with pornographic content (rawtocash.net/adv).

Fortnight modifies the Outlook Express autosignature so that it points to the file c:\Program Files\sign.htm. This file has HTML code that opens a web page - which contains the Trojan- in hidden mode.

Furthermore, Fortnight inserts the following entries in the Windows Registry:

 

  • HKCU\ Software\ Microsoft\ Internet Explorer\ Main\ Start Page “http:// www.rawtocash.net/ adv/ sex.htm”
  • HKCU\ Software\ Netscape\ Netscape Navigator\ Main\ Home Page
    http:// www.rawtocash.net/ adv/ sex.htm
  • HKCU\ Identities\ <defuser>\ Software\ Microsoft\ Outlook Express\ 5.0\ signatures\ Default Signature  "10101010"
  • HKCU\ Identities\ <defuser>\ Software\ Microsoft\ Outlook Express\ 5.0\signatures\10101010\file  "c:\ Program Files\ sign.htm"
  • HKCU\ Identities\ <defuser>\ Software\ Microsoft\ Outlook Express\ 5.0\ signatures\ 10101010\name "signature"
  • HKCU\ Identities\ <defuser>\ Software\ Microsoft\ Outlook Express\ 5.0\ signatures\ 10101010\ type "2"

Through these entries, the worm modifies the autosignature of every outbound message and changes the Web browser's home page. 

Means of transmission 

Fortnight spreads via e-mail, including its code in the autosignature of every outbound message. As a result, the autosignature of all of the outgoing messages will include a link to a web page with pornographic content. 

To do this, Fortnight exploits a vulnerability that affects ActiveX controls.

Further Details  

The Trojan component of Fortnight is 2,375 bytes in size, whereas the worm component is 206 bytes in size.