I-Worm.Stina, W32/[email protected]
, Win32.HLLM.Generic.2, W32/Menace-A, Win32/[email protected]
WORM_MENACE.B, Worm/Stina, W32/Stina.A, Win32:Funso, I-Worm/Stina,
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
09 Jul 2001
The W32.SoFunny application is a password stealing Trojan that has worm abilities. This worm aims to infect AOL or America Online users and is allocated as Microsoft420.exe.
W32.SoFunny Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.SoFunny from your computer.
More details about W32.SoFunny
The W32.SoFunny worm is a VB or Visual Basic program. It multiplies throught the use of AOL or America Online software. When the worm is opened, it duplicates itself as “\Windows\Microsoft420.exe”. It allows itself to open at windows start up, it adds the value “microsoft420.exe”, and “C:\Windows\microsoft420.exe” to the registry key. It drops the text file “\Windows\Microsoft420.ini” to mark its existence. The “Microsoft420.ini” has the “[Setup]” and “Copied=True” strings. The first time that the W32.SoFunny worm is opened, it shows a fake error message similar to “An unknown error has occurred at #000.1092”. To eliminate the worm from the taskbar and is opened unnoticed, the W32.SoFunny program registers itself as process of service. This enables the worm to go on to open after you log off your computer.
The W32.SoFunny gets the window handles of running software’s. This enables the worm to get your password and username from the login screen of AOL. W32.SoFunny is capable to identify the newly logged in user and the NetBIOS name of the computer. The W32.SoFunny worm spreads the intercepted info to the worm author’s anonymous e-mail address making use of “mail.yahoo.com”, “mail.hotmail.com”, and “mail.angelfire.com” web-based mail servers. This signifies that the W32.SoFunny worm may send email if there is no e-mail program installed on the computer system. The e-mail has Subject “Fwd: This is some NASTY stuff! =)”, Message “I have never seen something this nasty! You have to see it for yourself...”, and Attachment “Microsoft420.exe or NASTY.exe”.