virus logo Virus

W32/Funner.A!worm.im

description-logoAnalysis

This virus is 32-bit with an ASP packed file size of 56,320 bytes. This virus was coded using Visual Basic 6 and contains instructions to send itself to other contacts found in the MSN Messenger chat application. The virus modifies a configuration file "hosts." to prevent the system from reaching many websites.
If the virus is run on a system, it will create files into the System32 folder -
explorer.exe
iexplore.exe
userinit32.exe
The virus also writes itself as "rundll32.exe" into the Windows folder.
Next it pries into running MSN Messenger data files to locate other MSN chat users and sends itself to those recipients as "funny.exe". This file is stored locally as "c:\funny.exe".
Loading at Windows startup
The virus will modify the registry to run at each Windows startup -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"MMSystem" = c:\winnt\rundll32.exe "c:\winnt\system32\mmsystem.dll"", RunDll32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"MMSystem" = c:\winnt\rundll32.exe "c:\winnt\system32\mmsystem.dll"", RunDll32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
"Userinit" = C:\WINNT\system32\userinit32.exe
*Old value was "C:\WINNT\system32\userinit.exe"
Web site redirect
The virus will overwrite the "hosts." file commonly stored in the path 'C:\WINNT\system32\drivers\etc\hosts'. The new hosts file have redirection entries for 937 web sites, most if not all of them located in Asia and China. These are examples of the hosts file entries written by the virus -
222.89.98.219 www.666ccc.com
222.89.98.219 www.666e.com
222.89.98.219 www.qq530.com
222.89.98.219 www.vv66.com
222.89.98.219 www.dj99.net
The above line will force the browser to direct itself to the IP address 222.89.98.219 if an attempt is made to visit the web site mentioned to the right of that IP address in the hosts file.

recommended-action-logoRecommended Action

Check the web interface for your Fortigate unit to ensure the latest AV/NIDS definitions have been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR
ID 167022
Released Oct 11, 2004
Description
Updated		 Oct 12, 2004
Aliases W32/Funner.A-mm, W32/Funner.IM-net, W32/Funner.worm [McAfee], WORM_FUNNER.A [Trend]
Platform Profile Win32 file format / PE 32 bit
Profile Type Worm (worm)