You're in: Panda Security > IT Security for Business > security-info > about-malware > encyclopedia > overview

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Fortnight.E
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

Fortnight.E has the following effects:

It modifies the AutoSignature in Outlook. As a result, all the e-mail messages sent from the affected computer will contain the virus code.
In the Favorites folder it creates three links to web pages with erotic content:
Nude Nurses.url
Search You Trust.url
Your Favorite Porn Links.url
It adds six buttons to the Toolbar in Internet Explorer.

Infection strategy

Fortnight.E creates the following files:

S.HTM. This file is created in the Windows installation directory and it is added to the AutoSignature of outbound messages. In this way, Fortnight.E adds a link to download the malicious code to all the messages sent out.
HOSTS. This file is created in the Windows installation directory and in Windows 2000, XP it is also copied to system32\drivers\etc. This file is empty.

Fortnight.E deletes the original HOSTS file in the system.

Fortnight.E modifies the following entries in the Windows Registry:

HKEY_CURRENT_USER\ Identities\ %current user id%\ Software\ Microsoft\ Outlook Express\ 5.0\ signatures "Default Signature" = 0
HKEY_CURRENT_USER\ Identities\ %current user id%\ Software\ Microsoft\ Outlook Express\ 5.0\ signatures\ 00000000 "file" = C:\ WINDOWS\ s.htm
HKEY_CURRENT_USER\ Identities\ %current user id%\ Software\ Microsoft\ Outlook Express\ 5.0\ signatures\ 00000000 "name" = Signature #1
HKEY_CURRENT_USER\ Identities\ %current user id%\ Software\ Microsoft\ Outlook Express\ 5.0\ signatures\ 00000000 "text" = ""
HKEY_CURRENT_USER\ Identities\ %current user id%\ Software\ Microsoft\ Outlook Express\ 5.0\ signatures\ 00000000 "type" = 2
It uses these entries to add the S.HTM to the AutoSignature of outbound messages.
KEY_CURRENT_USER\ Software\ Policies\ Microsoft\ Internet Explorer\ Control Panel "AdvancedTab" HKEY_CURRENT_USER\ Software\ Policies\ Microsoft\ Internet Explorer\ Control Panel SecurityTab
It uses this entry to disable the Internet security options.

Fortnight.E follows the infection routine below:

When the user opens the infected message or views it through the Preview Pane, the link to the web page hidden in the message opens.
This web page contains Javascript code, which downloads and activates a Java Applet called C.JAR that contains the worm's code.
Fortnight.E exploits the Exploit/ByteVerify vulnerability in Internet Explorer to download the file to the computer without requiring user confirmation.
The C.JAR file is run, thereby inserting the worm in the computer.

Means of transmission

Fortnight.E spreads via e-mail. In order to do this, it replaces the AutoSignature of all the outgoing messages with link to an infected web page. When the user opens the infected message, this web page is opened and the worm's code is run.

Further Details

Fortnight.E is written in Java Script programming language. The file that carries out the infection is 270 bytes in size.

Resources for Partners