The contents of folders with names containing: The worm uses a function that will recursively scan folders on the fixed drives. This original FunLove text Fun Loving Criminal now reads AAVAR 2002 in Seoul and the file infector is dropped in a file named AAVAR.PIF (instead of flcss.exe). ocx executables on the local drives and network shares. every 2 seconds.Ī version of Win32.FunLove.4070 is dropped to a temporary file in the Windows System folder and executed this virus will start infecting.
The worm will attempt to stop any services or processes which include one of the substrings:Ī function that terminates these services and processes is called aprox. The worm will register both its original copy and the newly-dropped copy to be run at startup, by creating WIN‹NNNN› entries under the registry keys named in the Symptoms section.Ī mutex called ~~ Drone Of StarCraft~~ is used by the virus to avoid multiple execution of some code sequences. The run copy compares its own tick count with the parameter to see if it was run after less than half a second since the original copy had invoked it otherwise (for example, when the worm is run at start-up), the following message box is displayed: The worm copies itself to the Windows System folder as WIN‹NNNN›.pif ( ‹NNNN› being a random number) and then executes this copy with a command line parameter specifying the tick count (number of miliseconds elapsed since system start-up). The worm exploits the IFRAME vulnerability in order for the attached executable to be automatically launched when the message is displayed in the preview pane, and the Microsoft VM ActiveX Component vulnerability in order for the HTM file to add CEO to the executable files extensions and the worm to be run when the user opens the attached CEO file. ‹random name›.GIF (120 bytes) MUSIC_2.CEO Invariably, Anti-Virus Program is very foolish. Or: ‹Unreadable characters›Trand Microsoft Inc.ĪVAR(Association of Anti-Virus Asia Reseachers) - Report. Or: ‹Unreadable characters›‹Registered Organization› Subject: Re: AVAR(Association of Anti-Virus Asia Reseachers) Or: ‹forged address› (may be the same with the recipient\'s) It arrives attached to an email message in the following format:
Most of its strings are encrypted and the worm brings along the Win32.FunLove.4070 file infector once again. This version of was written in Visual C++. If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the Share Level Password vulnerability. To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables. You may also need to restore the affected files.įor preventing this virus to use the IFRAME exploit apply the patch Microsoft released
0 kommentar(er)
