W32.Unfunner.A


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 28 Jan 2005
Damage: Low

Characteristics: The W32.Unfunner.A is a worm application that uses MSN Messenger to propagate and undo all damages caused by W32.Funner. This worm is encrypted in Microsoft Basic Visual. When executed, W32.Unfunner will perform some actions.

More details about W32.Unfunner.A

The [random folder] was created by merging one or even more of the words such as Application, System, Microsoft, Windows, Server, Remote, Admin, Manager, Driver, Win, Socket, Root, Device, Current, Service, and Update. The worm also replicates itself in the same folder where the W32.Unfunner.A was performed using names such as W32_Funner_Removal_Tool.exe, Lindows_OS_Crack_beta.exe, DreamWeaVer-Keygen.exe etc. The worm tries to send %Windir%\MSN_7_01 having .exe extension to the contacts stored in the Messenger program of the Microsoft MSN. The worm also tries to undo the harm done by the virus by eliminating the files such as, in case it is present, c:\funny.exe, %System%\IEXPLORE.EXE, %System%\bsfirst2.log, %System%\EXPLORE.EXE, %System%\userinit32.exe, %System%\EXPLORER.EXE, and %Windir%\rundll32.exe. The worm deletes the keys of the registry and resets value to the subkey of the registry. The worm also modifies the hosts file to the default of the Windows by eliminating the present files.

Once the W32.Unfunner.A. was executed, it displays the Error Messages such as the ‘Error in: msnmsgr.exe’ and ‘66 97 115 101 70 97 99 116 111 114’. The worm replicates itself as %Windir%\MSN_7_01.exe and %System%\[Random name, ending with .dll, .exe, or .cfg].exe The W32.Unfunner.A seeks the folder of the System and then replicates itself to that found location. This is the C:Windows System32 (only Windows XP), C:WindowsSystem (Windows Me, Windows 98, and Windows 95), or even C:WinntSystem32 (Windows NT and Windows 2000). The worm also adds a value to the key of the registry so that in case the Windows starts the worm will run at the same time.