F-Secure Virus Descriptions : Funny
Funny worm spreads in a similar way as LoveLetter. All three
known variants of this worm drop, run and delete a binary file
Startx.exe that is a password stealing trojan detected by
F-Secure Anti-Virus as 'Trojan.PSW.Hooker.24.e'. This trojan is
run if the virus found a UBS banking software installed on the
victim's machine. Otherwise it replicates as a worm.
This variant sends e-mail to all recipients in Outlook address
book with:
Subject: Funny story
Attachment: FUNNY_STORY.HTM.vbs
In addition, it tries to connect to a web location.
This variant is similar with Funny.A, but it sends messages with
the following:
Subject: When did you die?
Attachment: LIFE_ASSURANCE.HTM.vbs
Funny.C spreads in messages with:
Subject: Rechnungsabschrift
Attachment: RECHNUNGSABSCHRIFT.DOC.vbs
This variant does not try to connect to the web. It creates a text
file RECHNUNGSABSCHRIFT.DOC and open it with Write.exe. The text
file contains the following information:
INVOICE
Date: September 18, 2000
From: Katrin Heinze
19, chemin des Aulx
CH-1228
Plan-les-Ouates,
Geneva
Switzerland
To: Myron Schmidt"
Ch. des Boveresses 151
CH-1066 Epalingess/Lausanne
Switzerland
Item Description
Item Description Cost
1 August Voice Mail Charges CHF 35.00
1 Internet - Reserve Domain Name (2 years) CHF 250.00
1 Internet - Set Up Fee CHF 110.00
1 Internet - Creation Fee CHF 250.00
1 Internet - Submit to 540 Search Engines CHF 50.00
1 Internet 6 Months of Hosting CHF 200.00
Total CHF 895.00
[Analysis: Katrin Tocheva, F-Secure, September 2000]
|
![](/images/pixel.gif"){kind=tracking}
