Funner is a MSN worm that spreads by sending itself to the contacts listed in Microsoft's Windows Messenger.
Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
When executed, Funner will copy itself to the WINDOWS directory under the name rundll32.dll and alter registry entries to ensure the worm is started. It will also copy itself under WINDOWS SYSTEM directory as
explorer.exe IEXPLORE.EXE userinit32.exe
The following registry keys are altered to ensure the worm runs upon next reboot
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "MMSystem" "c:\winnt\rundll32.exe "c:\winnt\system32\mmsystem.dll"", RunDll32" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MMSystem" "c:\winnt\rundll32.exe "c:\winnt\system32\mmsystem.dll"", RunDll32" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit" "C:\WINNT\system32\userinit32.exe,"
Funner also overwrites the local hosts file with a file containing various URLs.
NOTE! There is Windows system DLL named rundll32.dll under WINDOWS SYSTEM directory. This DLL is part of Microsoft Windows operating system.