Solved

funny.exe virus through msn messenger. Any idea wat's the virus?

Posted on 2004-10-12
6
343 Views
Last Modified: 2010-04-11
Hi all,

It's been quite fustrating, especially at the lack of information on google for the virus, which I was infected by opening a file, funny.exe, sent to me via msn messenger. The worse thing is that you know the information is out there, since there a plenty of hits from chinese sites that concern this virus, but I can't seem to find any english sites that provide the info.

The file is "funny.exe" and Norton AV does NOT detect any virus, even after updating definetions. After I was infected, it tried to spread by sending the file to all my contacts in msn messnger.

I believe the name "threedegrees" is involved, since msn messenger refuses to close and states that it is being use by ie, outlook etc. However, this time, threedegress is added to the list. It seem like a taunt from the virus...

I would greatly appreciate any info on what's the virus and removal instructions, since Norton AV updated def cannot even detect anything.

/HongChia

0
Comment
Question by:HongChia_tan
  • 3
  • 2
6 Comments
 
LVL 2

Accepted Solution

by:
kitisak earned 125 total points
ID: 12287745
Norton alerted as virus W32.Funner (http://securityresponse.symantec.com/avcenter/venc/data/w32.funner.html)


Remove Instruction
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

Important: On computers running Norton AntiVirus 2005 or later, the QuickScan tool will automatically search for and remove malicious threats when new virus definitions are downloaded. While every effort has been made to ensure that the QuickScan tool removes all the traces of a malicious threat from an infected computer, we advise that you confirm that all the files and registry entries have been removed. We recommend following the manual removal steps and deleting any threat-related files or registry entries remaining on the computer.


1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe mode or VGA mode.
4. Run a full system scan and delete all the files detected as W32.Funner.
5. Reverse the changes made to the registry.
6. Reverse the changes made to the System.ini file
7. Remove entries from the Hosts file
0
 
LVL 2

Expert Comment

by:kitisak
ID: 12287857
OR you should try to scan virus by Sysclean of Trend micro in safe mode.
you can download Sysclean from http://www.trendmicro.com/ftp/products/tsc/sysclean.com. And you have to use it with pattern from http://www.trendmicro.com/download/pattern.asp (lptxxx.zip ; xxx is number).

---------------------------------------------------
Or MANUAL REMOVAL INSTRUCTIONS

Restarting in Safe Mode

» On Windows 98 and ME
1. Restart your computer.
2. Press the CTRL key until the startup menu appears.
3. Choose the Safe Mode option then press Enter.

» On Windows 2000
1. Restart your computer.
2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

» On Windows XP
1. Restart your computer.
2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.

» On Windows 98 and ME
1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
MMSystem = "%\Windows%\rundll32.exe "%System%\mmsystem.dll"", RunDll32"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)
(Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)
4. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run
5. In the right panel, locate and delete the entry:
MMSystem = "%\Windows%\rundll32.exe "%System%\mmsystem.dll"", RunDll32"
6. Close Registry Editor.

» On Windows XP and 2000
1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows NT>CurrentVersion>Winlogon
3. In the right panel, locate the entry:
Userinit = "userinit32.exe"
4. Replace this entry with the following default value:
Userinit = "userinit.exe"
5. Close Registry Editor.
6. Restart your system (again) in safe mode.
7. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
8. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run
9. In the right panel, locate and delete the entry:
MMSystem = "%\Windows%\rundll32.exe "%System%\mmsystem.dll"", RunDll32"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)
(Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)
10. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run
11. In the right panel, locate and delete the entry:
MMSystem = "%\Windows%\rundll32.exe "%System%\mmsystem.dll"", RunDll32"
12. Close Registry Editor.
13. Removing Autostart Entries from System Files


Malware sometimes modify system files so that they automatically execute at Windows startup. These autostart entries must be removed before an affected system can be restarted safely.

» On Windows 98 and ME
1. Open the SYSTEM.INI file. Click Start>Run. In the Open input box, type SYSTEM.INI, then press Enter. This should open the file in your default text editor (usually Notepad).
Under the [boot] section, locate the line:
Shell = %System%\explorer.exe
2. Replace this line with the following:
Shell = explorer.exe
3. Close the SYSTEM.INI file and click Yes when prompted to save.
4. Restart by pressing the reset button.
5. Boot using a boot disk, then replace the file RUNDLL32.EXE (malware copy) with a clean RUNDLL32.EXE.

Clearing the HOSTS File
1. Locate the HOSTS file.
2. Right-click Start then click Search… or Find…, depending on the version of Windows you are running.
3. In the Named input box, type:
HOSTS
4. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
5. Using Notepad, edit the HOSTS file.
6. Remove the lines added by the malware.
7. Save the HOSTS file and close Notepad.


Reference : http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FUNNER.A
0
 
LVL 1

Author Comment

by:HongChia_tan
ID: 12288028
Thanks for your comprehensive response.

I wonder why Norton 03 AV with updated definetions dosen't detect the virus, even when directly scanning the funny.exe. Any ideas there? I'm going to try using another virus site/ product to do a scan. It's going to be a long night.

/Hc
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 2

Expert Comment

by:kitisak
ID: 12288089
I think it just discovered a few minutes ago.
Now you try to update and scan again.
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 12304668
Viri can adapt (polymorphism) and unless Norton has detected that particular type then it will pass undetected. Polymorphism involves changing the structure of the viruses internal code, or it may involve altering the encryption algorithm. Since most modern antivirus software uses signatures and change in the viruses encryption may fool them.

Regards,

Hypoviax
0
 
LVL 1

Author Comment

by:HongChia_tan
ID: 12304831
All right! After updating my def today, norton has finally dtected the w32.funner. I'm on my way to doing a full sys scan. I guess Sysmantec didn't put the funner definetions out that quickly.

Thanks to Kitisak and Hypoviax for your help!

Regards,

Hong Chia
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now