Antiy Labs discovered the newest MSN Worm!

[Janewang]

Last Updated on: October 10, 2004 20:00:00

Antiy Cert discovered a new worm named Worm.MSN.funny on October 9th, 2004 .
Name:Worm.MSN.funny.exe
Size:56,320 bytes
Compressed by aspack 2.12
Dump size :312,832 bytes
Code : VisualBasic

Technical details

When executed, Worm.MSN.funny performs the following actions:
1.When executed,Copy itself to the %windows% folder and rename as rundll32.exe,Copy itself to the %system32% folder and rename as

explorer.exe;
Copy itself to the %system32% folder and rename as rundll32.exe.then execute them. it releases bsfirst2.log file.
In the process list,the following may be the worm:
<path to Trojan>funny.exe
%windows%\%system32%\explorer.exe
%windows%\%system32%\IEXPLORE.EXE
%windows%\rundll32.exe
The process explorer.exe、IEXPLORE.EXE and rundll32.exe locked ech other.If any be killed ,it restarts immediately. For it looks like the system file ,it'll bewilder you.

2. Modifies the %system32%\drivers\etc\hosts file and makes most sites point to 222.89.98.219.
The websites in modified hosts files (total 937)
222.89.98.219 www.wo365.com
222.89.98.219 cmfu.com
222.89.98.219 www.cmfu.com
222.89.98.219 9i0.com
222.89.98.219 www.9flash.com
222.89.98.219 9flash.com
222.89.98.219 www.nowok.net
222.89.98.219 nowok.net
222.89.98.219 wisa.com.cn
222.89.98.219 www.sia.com.cn
222.89.98.219 www.wisa.cn
222.89.98.219 wisa.cn
...........

3. Now the site 222.89.98.219 has been DOS by the worm . when you visit the site,it shows the following:
Connection to server 222.89.98.219 failed (The server is not

responding.)
The site can be visited at pm 3:00 ,but cann't be visited at pm 7:00.

This means that the worm spreads very fast.

4. Modifies the %system32%\wbem\Logs\wbemprox.log file.
5.In the worm ,it contains some Chinese language to cheat MSN friends to click the following url :
一家新开的酒吧，晚上聚聚，这里有介绍%url%,记得给我电话
朋友，多注意休息啊，可以到这里放松放松哦，%url%
我们也来俗一把如何，看MM去，%url%，够味！呵呵！
日本人在南京大屠杀的铁证!坚决抵制日货 %url%
对中国威胁最大的十个国家!列表 %url%
我见过最漂亮的视频MM（不看可别后悔）,%url%
《中国农民调查》页页血泪，惊动中央 转自网易，%url%
6. The worm will transmit itself to other msn friends by MSN or QQ and sends spurious information .
7.Add the following registry key so that the Worm runs when the computer starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\"MMSystem" =%windows%\rundll32.exe "%windows%\%system32%\mmsystem.dll",RunDll32
Set timer to monitor the key, if not exist, it will creat twice in the registry

8. The worm will check whether the %windows%\iSpeed.exe exists. When it starts, it will check whether c:\killme.cmd and c:\stop.cmd file exists.
This may be the worm author test script code. We found the following script:
1.bat:
:START
del
if exist
GOGO START

9. Other information about it.
The worm author set the version as 3.00.0023 and named it as bsVirus.
For the program's bug, it may pop some dialog boxes when running in some computers .

10. About the worm author:
It modifies the Hosts file, and most sites point to 222.89.98.219. May be the author wants to dos the site by this mean.
In accordance with the most China sites chars in worm, we conclude the author is from China.

11. Recommendations:
1. kill the process :
%windows%\rundll32.exe
%system32%\IEXPLORE.EXE
%system32%\explorer.exe
%system32%\userinit32.exe

2.Delete the bsfirst2.log file .
Recover the %system32%\drivers\etc\hosts file and %system32%\wbem\Logs\wbemprox.log file.

3.Delete the values from the registry.
We strongly recommend that you back up the registry before making any changes to it.
Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only.
open the registry
Navigate to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
In the right pane, delete the following value:
"MMSystem" = %windows%\rundll32.exe

Others:

We have updated Antiy Ghostbusters 4,and can clean it safely.
Antiy Ghostbusters Professional Edition(AGB) is a powerful information-security utility. It consists of an anti-hacker utility and an information-security configuration toolkit. Based on AGB Standard Edition, Professional Edition is enhanced by the monitor, which acts as a minifirewall. The program can detect and kill more than 30,000 viruses, such as Trojan horses, back doors, and worms, which may hide in your system like ghosts and do harm to your computer. Many excellent tools in Professional Edition can help you manage your information-security configuration. You can fix the Internet Explorer settings and manage the tasks and processes. Network-connection status shows the status of remote and local ports and IP addresses. The monitor watches system and network activities, detects and blocks active ghost programs.
We will pay attention to the development of the worm.

Numan team of [Deleted by Mod Webnauts]
Web Site: [Email deleted by Mod Webnauts]
Support Mail: ghostbusters@antiy.net
Download Update: [Link deleted by Mod Webnauts]