F-Secure
Tools
Funny
| I-WORM.Funny, VBS/Funny |
Summary
Funny worm spreads in a similar way as LoveLetter. All three known variants of this worm drop, run and delete a binary file Startx.exe that is a password stealing trojan detected by F-Secure Anti-Virus as 'Trojan.PSW.Hooker.24.e'. This trojan is run if the virus found a UBS banking software installed on the victim's machine. Otherwise it replicates as a worm.Additional Details
| VARIANT: | Funny.A |
This variant sends e-mail to all recipients in Outlook address book with:
Subject: Funny story
Attachment: FUNNY_STORY.HTM.vbs
In addition, it tries to connect to a web location.
| VARIANT: | Funny.B |
Subject: When did you die?
Attachment: LIFE_ASSURANCE.HTM.vbs
| VARIANT: | Funny.C |
Subject: Rechnungsabschrift
Attachment: RECHNUNGSABSCHRIFT.DOC.vbs
This variant does not try to connect to the web. It creates a text file RECHNUNGSABSCHRIFT.DOC and open it with Write.exe. The text file contains the following information:
INVOICE
Date: September 18, 2000
From: Katrin Heinze
19, chemin des Aulx
CH-1228
Plan-les-Ouates,
Geneva
Switzerland
To: Myron Schmidt"
Ch. des Boveresses 151
CH-1066 Epalingess/Lausanne
Switzerland
Item Description
Item Description Cost
1 August Voice Mail Charges CHF 35.00
1 Internet - Reserve Domain Name (2 years) CHF 250.00
1 Internet - Set Up Fee CHF 110.00
1 Internet - Creation Fee CHF 250.00
1 Internet - Submit to 540 Search Engines CHF 50.00
1 Internet 6 Months of Hosting CHF 200.00
Total CHF 895.00
[Analysis: Katrin Tocheva, F-Secure, September 2000]