MSN Virus.

[surkdidat]

Everyone - be warned there is a virus going around on MSN Messenger - please read below.

http://www.pcmag.com/article2/0,1759,1675472,00.asp You get it if u accept a document called 'funny' . just use the link on that page to scan n get rid of it or just use an up to date anti virus thing

Security Watch: MSN Virus is Not Funner
Top Threat: W32/Funner.A-mm

Executive Summary

Name: W32/Funner.A-mm
Affects: Windows 9x/Me/2000/XP/2003 server

What it does: Funner spreads through MSN or Microsoft Windows Messenger by sending an executable file called funny.exe to everyone in your buddy list. When it infects, it adds 937 urls to the Windows HOSTS file , adds executable files to the Windows system folder, and makes registry changes to insure it executes when the PC starts up.

How to avoid it: Do not accept any executable files from known or unknown buddies. Keep your antivirus product up to date.

How to remove it: The easiest is to use an up–to-date antivirus. You can also use Trend Micro's Housecall online scanner.

Fact File

Name: W32/Funner.A-mm, W32/Funner@mm,
Type of virus: Windows 32 executable
Date Discovered: October 10, 2004
Executable file: userinit32.exe (though it runs 3 other files as well)
Size: 56320
Systems affected: Windows XP/2000/9x/Me/NT/Win 2003 server
Systems not affected: DOS, Windows 3.x, Linux, Mac, OS/2, Unix
Propagation: spreads via MSN messenger, Microsoft Messenger
Recipient: Harvested from victim's buddy list

Details

While not as widely affecting as some e-mail worms, W32/Funner.A emphasizes the need to be on guard with any Internet communication. Funner spreads though the MSN/Windows Messenger network. According to eWeek.com, Funner disrupted MSN communications most of the day on Monday. It uses the victim's buddy list or MSN address list to send copies of itself. When a victim executes the sent attachment, Funny.exe, it infects the user's system by dropping files into the Windows root, installation and system folders, and modifying the registry so they execute at boot time. According to Symantec, Funner adds the following files:

%System%\IEXPLORE.EXE
%System%\EXPLORE.EXE
%Windir%\rundll32.exe
%System%\userinit32.exe
c:\funny.exe
The %System% is a variable meaning the default Windows system folder (C:\Windows\System, C:\Windows\System32, or C:\Winnt\System32) , and %Windir% is for the default Windows installation folder (C:\Windows, C:\Windows, or C:\Winnt) .

The virus creates a log file in the Windows system folder called bsfirst2.log. It has also been reported that Funner actually runs three files that "watch out" for each other. Each program checks to see if the other two are running, and if not, will restart them.

To start Funner when you reboot, the virus adds the register value: "Userinit"="userinit32.exe," to the registry key :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Funner also adds the following value to be sure RunDll32 starts with Windows "MMSystem"="%Windir%\rundll32.exe "%System%\mmsystem.dll"", RunDll32" to one or more of the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run


Trend Micro reports that Funner might add the following value:

Shell = %System%\explorer.exe

to the [boot] section of the SYSTEM.INI file of Windows 9x systems. Funner adds 937 new entries to the Windows HOSTS file. All web sites listed in the file will resolve to the IP address 222.89.98.219. Plugging this IP address into a browser will redirect you to a page at http://www.78p.com . Symantec notes that the virus may attempt to download files from this domain as well. The site returns a 404 error (page not found). We took a quick look at some of the URL's the virus puts in the host, and they were all Chinese language sites and domains. Trend Micro's infection statistics show the infection is highest in Asia, with Taiwan, China and Singapore as the top three. The US follows in forth position in infection rate.

Removing Funner Manually

W32/Funner.A is easiest to remove with an up-to-date antivirus product. However, it can be removed manually. When Funner infects, like many worms, it can consume the CPU so it is difficult to get to other programs such as regedit. You remove the main infection by deleting the files in the Windows installation, system and root folders and removing registry entries. If you're not familiar with the Registry editor, you should probably use one of the removal tools mentioned earlier. While we highly recommend you back up your registry before editing, be aware that the backup you make will contain entries associated with W32/Funner.A. Since the files are deleted, you may get errors if you restore from the backup at a future date. Once your system has been cleaned and is operating properly, you may want to delete the backup.

1. Disable System Restore if you're using Windows XP or Me. When you make changes to your system, Windows creates a restoration checkpoint. If the OS does this while the system is infected, the worm may come back later, should you perform a restore. Also, most antivirus products cannot remove infected files from the restore cache.
Restart the computer in Safe mode. Since the W32/Funner.A worm creates processes and Windows doesn't allow you to delete files connected with running processes, restarting is necessary. Using Safe mode prevents Windows from loading drivers and Auto Run entries, so when your system boots, it's relatively clean.
Run a full system scan with an updated antivirus scanner (or one of the online scanners mentioned previously). If your scanner does not remove everything, follow the next few steps.
Delete the files listed in the antivirus from the various Windows folders that are marked as being infected. You can also go directly to the Windows system folder and remove the following files: %System%\IEXPLORE.EXE %System%\EXPLORE.EXE %Windir%\rundll32.exe %System%\userinit32.exe c:\funny.exe
Make a backup of the registry before you edit. Delete the Run entries associated with Funner from the registry. These will be flagged by the antivirus program or you can go directly to the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Winlogon

and delete the value:

"Userinit"="userinit32.exe,"

Find the following keys:

|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run

and delete the value:

"MMSystem"="%Windir%\rundll32.exe "%System%\mmsystem.dll"", RunDll32"

Exit the registry editor.
If you're using Windows 9x/Me, click on start, and run. In the Run window, type "Edit c:\windows\system.ini" and press enter. search for: shell=explorer.exe If it is present, and has anything to the right of .exe, delete it. The final line should look like above. click on File, Save, then File, Exit (ALT F S and ALT F X)
To remove the entries in the HOSTS file – follow our tip: Fix Your Hosts File
Re-enable System Restore.
Reboot the machine.
Rescan with your antivirus to be sure all files are clean.

Thanks for the info

[Mike]

Thanks for the warning I use MSN a lot.

I urge everyone who has a computer to install a firewall and an antivirus product. Trust me dont use ones that you have aquired, you never know what has been done to them :!:

I have worked in the Computing arena for 15 years now and I know what Im talking about ;-) I personally use Norton on one of my machines and AVG and ZoneAlarm on another.

You can purchase antivirus products from the link below.

<iframe width="650" height="550" scrolling="no" frameborder=0 src="http://rcm-uk.amazon.co.uk/e/cm?t=siliconhell-21&l=bn1&browse=599990&mode=software-uk&p=36&o=2&f=ifr&lt1=_blank"> <table border='0' cellpadding='0' cellspacing='0' width='600' height='520'><tr><td></td></tr></table></iframe>

I never use messenger anyway!