Jump to content
Sign in to follow this  
jr_cardoso

Problemas No Messenger

Recommended Posts

W32.Funner is a worm that spreads using Microsoft's Windows Messenger instant message program and modifies the hosts file.

The worm MSN-Worm.Funner sends IM messages with URL links of the following form:

http://www.78p.com/

When W32.Funner is executed, it performs the following actions:

Copies itself as:

%System%\IEXPLORE.EXE

%System%\EXPLORE.EXE

%Windir%\rundll32.exe

%System%\userinit32.exe

c:\funny.exe

and executes the first three files listed.

Notes:

The three files make sure that the other two are running and will restart them if any are stopped.

These files require the MSVBVM60.DLL file, which is a component of the Microsoft Visual Basic run-time environment.

%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Creates a log file named %System%\bsfirst2.log.

Adds the value:

"Userinit"="userinit32.exe,"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

so that the userinit32.exe runs when you start Windows.

Adds the value:

"MMSystem"="%Windir%\rundll32.exe "%System%\mmsystem.dll"", RunDll32"

to some of the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so that the rundll32.exe runs when you start Windows.

May add the line:

Shell = %System%\explorer.exe

to the [boot] section of the SYSTEM.INI file.

Attempts to send c:\funny.exe to contacts in the Windows Messenger instant message program.

May contact the www.78p.com domain and download various components.

Adds the following entries to the Hosts file to point to an external IP address:

222.89.98.219 www.wo365.com

222.89.98.219 cmfu.com

222.89.98.219 www.cmfu.com

222.89.98.219 9i0.com

222.89.98.219 www.9flash.com

222.89.98.219 9flash.com

222.89.98.219 www.nowok.net

The following links provide more details on this worm:

http://www.trendmicro.com/vinfo/virusencyc...e=WORM_FUNNER.A <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FUNNER.A>

http://securityresponse.symantec.com/avcen...w32.funner.html <http://securityresponse.symantec.com/avcenter/venc/data/w32.funner.html>

Cuidado...

B)

Share this post


Link to post
Share on other sites

Esse link da Symantec nao da em nada

Mas eu não me consigo ligar desde as 18h !!!

Já cporry o AdAware e o SpyBot, que nada encontraram.

Tou a sacar as novas definições e ver se resolve este Bug :eek:

Luke > :luke: <

Share this post


Link to post
Share on other sites

Além disso corri o Stinger também para ver se tinha trojans, mas estou limpissimo... problema geral da rede.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.