W32.SoFunny


Aliases: I-Worm.Stina, W32/Funso.gen@MM, Win32.HLLM.Generic.2, W32/Menace-A, Win32/Funso.A@mm,
Variants: WORM_MENACE.B, Worm/Stina, W32/Stina.A, Win32:Funso, I-Worm/Stina,

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 09 Jul 2001
Damage: Low

Characteristics: The W32.SoFunny application is a password stealing Trojan that has worm abilities. This worm aims to infect AOL or America Online users and is allocated as Microsoft420.exe.

More details about W32.SoFunny

The W32.SoFunny worm is a VB or Visual Basic program. It multiplies throught the use of AOL or America Online software. When the worm is opened, it duplicates itself as “\Windows\Microsoft420.exe”. It allows itself to open at windows start up, it adds the value “microsoft420.exe”, and “C:\Windows\microsoft420.exe” to the registry key. It drops the text file “\Windows\Microsoft420.ini” to mark its existence. The “Microsoft420.ini” has the “[Setup]” and “Copied=True” strings. The first time that the W32.SoFunny worm is opened, it shows a fake error message similar to “An unknown error has occurred at #000.1092”. To eliminate the worm from the taskbar and is opened unnoticed, the W32.SoFunny program registers itself as process of service. This enables the worm to go on to open after you log off your computer.

The W32.SoFunny gets the window handles of running software’s. This enables the worm to get your password and username from the login screen of AOL. W32.SoFunny is capable to identify the newly logged in user and the NetBIOS name of the computer. The W32.SoFunny worm spreads the intercepted info to the worm author’s anonymous e-mail address making use of “mail.yahoo.com”, “mail.hotmail.com”, and “mail.angelfire.com” web-based mail servers. This signifies that the W32.SoFunny worm may send email if there is no e-mail program installed on the computer system. The e-mail has Subject “Fwd: This is some NASTY stuff! =)”, Message “I have never seen something this nasty! You have to see it for yourself...”, and Attachment “Microsoft420.exe or NASTY.exe”.