View Single Post
Old 11-10-2004, 20:47   #175
Miticuz
Senior Member
 
L'Avatar di Miticuz
 
Iscritto dal: Jun 2003
Messaggi: 1023
Quote:
Originariamente inviato da Miky Mouse
notizie su questo virus???
Se puņ esser utile, copio incollo dal forum di html.it

si sta diffondendo un nuovo virus tramite il messenger, allego qui qualche info e i metodi per levarlo.

W32.Funner is a worm that spreads using Microsoft's Windows Messenger instant message program and modifies the hosts file.

The worm MSN-Worm.Funner sends IM messages with URL links of the following form:

http://www.78p.com/

When W32.Funner is executed, it performs the following actions:
Copies itself as:

%System%\IEXPLORE.EXE
%System%\EXPLORE.EXE
%Windir%\rundll32.exe
%System%\userinit32.exe
c:\funny.exe

and executes the first three files listed.

Notes:
The three files make sure that the other two are running and will restart them if any are stopped.
These files require the MSVBVM60.DLL file, which is a component of the Microsoft Visual Basic run-time environment.
%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Creates a log file named %System%\bsfirst2.log.


Adds the value:

"Userinit"="userinit32.exe,"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi
ndows NT\CurrentVersion\Winlogon

so that the userinit32.exe runs when you start Windows.


Adds the value:

"MMSystem"="%Windir%\rundll32.exe "%System%\mmsystem.dll"", RunDll32"

to some of the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi
ndows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi
ndows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Win
dows\CurrentVersion\Run

so that the rundll32.exe runs when you start Windows.


May add the line:

Shell = %System%\explorer.exe

to the [boot] section of the SYSTEM.INI file.


Attempts to send c:\funny.exe to contacts in the Windows Messenger instant message program.



May contact the www.78p.com domain and download various components.


Adds the following entries to the Hosts file to point to an external IP address:
222.89.98.219 www.wo365.com
222.89.98.219 cmfu.com
222.89.98.219 www.cmfu.com
222.89.98.219 9i0.com
222.89.98.219 www.9flash.com
222.89.98.219 9flash.com
222.89.98.219 www.nowok.net

The following links provide more details on this worm:

http://www.trendmicro.com/vinfo/vir...e=WORM_FUNNER.A <http://www.trendmicro.com/vinfo/vir...e=WORM_FUNNER.A>

http://securityresponse.symantec.co...w32.funner.html <http://securityresponse.symantec.co...w32.funner.html>
__________________
Credo che ognuno di noi debba essere giudicato per ciņ che ha fatto. Contano le azioni non le parole. Se dovessimo dar credito ai discorsi, saremmo tutti bravi e irreprensibili
Miticuz č offline