Last Updated on: October 10, 2004 20:00:00
Antiy Cert discovered a new worm named Worm.MSN.funny on October 9th,
2004 .
Name:Worm.MSN.funny.exe
Size:56,320 bytes
Compressed by aspack 2.12
Dump size :312,832 bytes
Code : VisualBasic
Technical details
When executed, Worm.MSN.funny performs the following actions:
1.When executed,Copy itself to the %windows% folder and rename as
rundll32.exe,Copy itself to the %system32% folder and rename as
explorer.exe;
Copy itself to the %system32% folder and rename as
rundll32.exe.then execute them. it releases bsfirst2.log file.
In the process list,the following may be the worm:
funny.exe
%windows%%system32%\explorer.exe
%windows%%system32%\IEXPLORE.EXE
%windows%\rundll32.exe
the process explorer.exe、IEXPLORE.EXE and rundll32.exe locked ech
other.If any be killed ,it restarts immediately. For it looks like the
system file ,it’ll bewilder you.
2. Modifies the %system32%\drivers\etc\hosts file and makes most sites point to 222.89.98.219.
The websites in modified hosts files (total 937)
222.89.98.219 www.wo365.com
222.89.98.219 cmfu.com
222.89.98.219 www.cmfu.com
222.89.98.219 9i0.com
222.89.98.219 www.9flash.com
222.89.98.219 9flash.com
222.89.98.219 www.nowok.net
222.89.98.219 nowok.net
222.89.98.219 wisa.com.cn
222.89.98.219 www.sia.com.cn
222.89.98.219 www.wisa.cn
222.89.98.219 wisa.cn
…
- Now the site 222.89.98.219 has been DOS by the worm . when you visit the
site,it shows the following:
Connection to server 222.89.98.219 failed (The server is not
responding.)
The site can be visited at pm 3:00 ,but cann’t be visited at pm 7:00.
This means that the worm spreads very fast.
-
Modifies the %system32%\wbem\Logs\wbemprox.log file.
5.In the worm ,it contains some Chinese language to cheat MSN friends to click the following url :
一家新开的酒 吧 ,晚上聚聚,这里有介绍%url%,记得给我电话
朋友,多注意休 息啊,可以到这 里放松放松哦,%url%
我们也来俗一把 如何,看MM去,%url%,够味!呵呵!
日本人在南京大 屠杀的铁证!坚决抵制日货 %url%
对中国威胁最大 的十个国家!列表 %url%
我见过最漂亮的 视频MM(不看可别后悔),%url%
《中国农民调查 》页页血泪,惊动中央 转自网易,%url% -
The worm will transmit itself to other msn friends by MSN or QQ and sends spurious information .
7.Add the following registry key so that the Worm runs when the computer starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"MMSystem" =%windows%\rundll32.exe “%windows%%system32%\mmsystem.dll”,RunDll32
Set timer to monitor the key, if not exist, it will creat twice in the registry -
The worm will check whether the %windows%\iSpeed.exe exists. When it starts, it will check whether c:\killme.cmd and c:\stop.cmd file exists.
This may be the worm author test script code. We found the following script:
1.bat:
:START
del
if exist
GOGO START -
Other information about it.
The worm author set the version as 3.00.0023 and named it as bsVirus.
For the program’s bug, it may pop some dialog boxes when running in some computers . -
About the worm author:
It modifies the Hosts file, and most sites point to 222.89.98.219. May be the author wants to dos the site by this mean.
In accordance with the most China sites chars in worm, we conclude the author is from China. -
Recommendations:
- kill the process :
%windows%\rundll32.exe
%system32%\IEXPLORE.EXE
%system32%\explorer.exe
%system32%\userinit32.exe
2.Delete the bsfirst2.log file .
Recover the %system32%\drivers\etc\hosts file and %system32%\wbem\Logs\wbemprox.log file.3.Delete the values from the registry.
We strongly recommend that you back up the registry before making any changes to it.
Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only.
open the registry
Navigate to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the following value:
“MMSystem” = %windows%\rundll32.exe - kill the process :