Threat Description

Funny

Details

Aliases:Funny, I-WORM.Funny, VBS/Funny
Category:Malware
Type:Worm
Platform:VBS

Summary



Funny worm spreads in a similar way as LoveLetter. All three known variants of this worm drop, run and delete a binary file Startx.exe that is a password stealing trojan detected by F-Secure Anti-Virus as 'Trojan.PSW.Hooker.24.e'. This trojan is run if the virus found a UBS banking software installed on the victim's machine. Otherwise it replicates as a worm.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details




Variant:Funny.A

This variant sends e-mail to all recipients in Outlook address book with:

Subject: Funny story
  Attachment: FUNNY_STORY.HTM.vbs

In addition, it tries to connect to a web location.


Variant:Funny.B

This variant is similar with Funny.A, but it sends messages with the following:

Subject: When did you die?
  Attachment: LIFE_ASSURANCE.HTM.vbs

Variant:Funny.C

Funny.C spreads in messages with:

Subject: Rechnungsabschrift
  Attachment: RECHNUNGSABSCHRIFT.DOC.vbs

This variant does not try to connect to the web. It creates a text file RECHNUNGSABSCHRIFT.DOC and open it with Write.exe. The text file contains the following information:

  INVOICE
 Date:  September 18, 2000
 From:  Katrin Heinze
 19, chemin des Aulx
 CH-1228
 Plan-les-Ouates,
 Geneva
 Switzerland
 To:Myron Schmidt"
 Ch. des Boveresses 151
 CH-1066 Epalingess/Lausanne
 Switzerland
 Item Description
 Item Description Cost

  1August Voice Mail ChargesCHF  35.00
 1Internet - Reserve Domain Name (2 years)CHF  250.00
 1Internet - Set Up Fee CHF  110.00
 1Internet - Creation Fee  CHF  250.00
 1Internet - Submit to 540 Search Engines CHF  50.00
 1Internet 6 Months of HostingCHF  200.00
 TotalCHF 895.00




Technical Details: Katrin Tocheva, F-Secure, September 2000


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More