Virus

W32/Funner.A!worm.im

Analysis

This virus is 32-bit with an ASP packed file size of 56,320 bytes. This virus was coded using Visual Basic 6 and contains instructions to send itself to other contacts found in the MSN Messenger chat application. The virus modifies a configuration file "hosts." to prevent the system from reaching many websites.
If the virus is run on a system, it will create files into the System32 folder -
explorer.exe
iexplore.exe
userinit32.exe
The virus also writes itself as "rundll32.exe" into the Windows folder.
Next it pries into running MSN Messenger data files to locate other MSN chat users and sends itself to those recipients as "funny.exe". This file is stored locally as "c:\funny.exe".
Loading at Windows startup
The virus will modify the registry to run at each Windows startup -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"MMSystem" = c:\winnt\rundll32.exe "c:\winnt\system32\mmsystem.dll"", RunDll32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"MMSystem" = c:\winnt\rundll32.exe "c:\winnt\system32\mmsystem.dll"", RunDll32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
"Userinit" = C:\WINNT\system32\userinit32.exe
*Old value was "C:\WINNT\system32\userinit.exe"
Web site redirect
The virus will overwrite the "hosts." file commonly stored in the path 'C:\WINNT\system32\drivers\etc\hosts'. The new hosts file have redirection entries for 937 web sites, most if not all of them located in Asia and China. These are examples of the hosts file entries written by the virus -
222.89.98.219 www.666ccc.com
222.89.98.219 www.666e.com
222.89.98.219 www.qq530.com
222.89.98.219 www.vv66.com
222.89.98.219 www.dj99.net
The above line will force the browser to direct itself to the IP address 222.89.98.219 if an attempt is made to visit the web site mentioned to the right of that IP address in the hosts file.

Recommended Action

Check the web interface for your Fortigate unit to ensure the latest AV/NIDS definitions have been downloaded and installed on your system - if required, enable the "Allow Push Update" option