News Items

Jul 11, 2005 02:16PM

"Funneh" Worm:

Ok, I infected a virtual Windows install with this worm on purpose, to try and see if I could remove it. Here's what happened:

  1. I run the virus
  2. Virus removes Funneh.exe and creates "expiorer.exe" which it then launches, after screwing around with various IE settings related to the location of history and temporary internet files, etc.
  3. "Expiorer.exe" is set to run at startup as "Microsoft Admin Protocal" - this is removed by AIMFix and has been for a long time.
  4. Spyware starts appearing on the machine in record time - 180Solutions, PowerScan, ShopAtHome, IST Service Toolbar, Sidebar, etc.
  5. Internet Explorer starts opening window after window on its own, to various malicious (including a few pages at fightbac.com) websites where more crap is downloaded
  6. I close down AIM and restart it to see what happens
  7. AIM launches, but doesn't appear for several minutes, instead IE starts opening more windows and more spyware installers/downloaders are launched in the background. It appears that AIM is waiting for them to finish before it starts itself.
  8. No messages are sent to anyone on my buddy list at any point during this experiment
  9. I close all the spyware and junk programs in task manager, then run AIMFix to remove expiorer.exe
  10. AIMFix completes without error, removing "expiorer.exe" and registry keys.
  11. Restarted the machine
  12. Several chunks of spyware are still installed, and the downloaders are running at startup again. I close the downloaders and spyware with task manager, remove all the items with HijackThis, and verify that all is now clean
  13. Restart AIM to see what happens. No IMs are sent from my screen name, no virus appears, and no strange processes are launched.

In short, I can find nothing in this virus that isn't able to be removed by AIMFix and by following the spyware removal steps as outlined. I have absolutely no idea why people are being reinfected by this over and over, or why people with clean HijackThis logs are still showing symptoms. The only conclusions I can draw are that whatever virus I am downloading from http://fightbac.com/files/Funneh.exe, it is not the same as what other people are experiencing, because I was able to remove it by following the usual methods and using AIMFix.

-Jay

Jul 09, 2005 06:53PM

Ok, updates on the "Funneh" problem (links to http://fightbac.com/files/Funneh.exe):

  • I'm now almost positive that it loads itself as a sort of plugin to AIM itself, or is otherwise launched only when AIM is run, hence why it doesn't show up in the HijackThis log files.
  • I still am no closer to a solution since I can't reproduce the problem, and there are too many places to look without having more detailed information
  • If and when I can get a testing setup going, I should be able to find out exactly what's going on
  • I do know for sure that using Gaim or Trillian prevents the problem since the virus won't run when launching Gaim instead of AIM, etc.

In short, I'm still working on it, I still haven't got enough information, and I still need a Windows testing machine that I can infect, then clean. I've got it narrowed down since I now know that it's hiding somewhere inside of the AIM settings and files, but that's about it. 

-Jay

Jul 06, 2005 03:04PM

Someone named Mike offered me a testing machine but unfortunately appears to have typed in their email address incorrectly. Hopefully Mike is reading this and will see this note. I tried to reply to your offer for a Windows XP testing machine but my reply was bounced back to me.

-Jay

Jul 02, 2005 12:33PM

I have confirmation back from at least one person that using Gaim does indeed prevent the virus message for http://www.fightbac.com/files/Funneh.exe from showing up. You can download Gaim from the project website by choosing the Downloads link and picking the Windows version. (If this is too complicated for you, just download it here) You may prefer Trillian to Gaim as well.

Remember that this does not remove the virus, it only prevents the messages from being sent. I will be doing the best I can to get at least a temporary testing setup for this weekend to dissect the virus, but I can't promise anything. As soon as I can I will update AIMFix to remove the virus.

-Jay

Jul 01, 2005 09:41PM

Well, it's been a while since my last news post, mostly because I've been insanely busy and/or tired when I actually do have free time. I apologize to anyone who's got a virus that isn't currently removed by AIMFix, but I've had too much work with my new full-time job and hour-long commute to be able to sit down and work out the solution to this one.

There's a virus spreading currently that's similar to the Funner worm, but instead of "funny.exe" it's "Funneh.exe" - from the same damn website that hosted funny.exe in the first place. I've tried contacting them mulitple times (they're even in my old home state of CT) but their contact information and contact form all point to a nonexistent email address - yay for morons.

This particular virus points links to http://www.fightbac.com/files/Funneh.exe and sends the same message to all your buddies. Oddly enough, the website is for a "teat disinfectant" for cows...go figure. Anyway, the main reason I haven't got a fix for this in AIMFix yet is that for once, it does something new that none of the other virus have so far. I don't know what it is yet, and until I beg/borrow/steal/have donated/whatever a test machine, I can't infect myself to find out what the problem is or how to repair it. I used to have an extra machine I could use for this purpose but it was given away when I moved and I haven't found a way to replace it yet.

I'll do my best to find a fix for this, but in the meantime, the only advice I can give you is to try and download Gaim (If you can't figure out what to download, you can get Gaim here)or Trillian and use one of them to talk on AIM. This may help at least prevent the messages from being sent by the virus, since I'm pretty sure it uses AIM-specific calls to do the sending. It's not a fix, but at least it will hopefully give some respite until I can come up with something.

Calling all generous souls: If you have a desktop or laptop with enough processing power and/or memory to run Windows XP on it that you'd be willing to donate, I'd be quite grateful for the ability to actually run the viruses in a test environment. However, you'll need to be in the NJ area or be willing to ship it to me. Otherwise, I guess I'll have to wait until I get enough donations to afford a test machine, which probably won't be happening any time soon.

-Jay

Archives