WORM_MENACE.B

Malware type: Worm

Aliases: W32/Funso.gen@MM (McAfee), W32.Sofunny (Symantec), Worm/Stina (Avira), W32/Menace-A (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This Internet worm and AOL password-stealer uses AOL6 to propagate copies of itself as an executable attachment.

Upon its first execution, it displays a message box to avoid detection and then installs itself on the target system. It copies itself in the Windows directory and modifies the registry so that it executes during Windows startup.

For additional information about this threat, see:

Description created: Jan. 28, 2002 4:45:16 PM GMT -0800
Description updated: Feb. 1, 2002 1:41:38 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 94,208 Bytes

Initial samples received on: Jan 25, 2002

Details:

Installation

Upon first execution, this worm displays a message box with these text strings:

Title: Fatal Error #6834
An unknown error has occurred at #000.1092.

Then, it copies itself in the Windows folder and then creates the following registry entry so that its copy executes at system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
microsoft420=�c:\windows\microsoft420.exe�

It also modifies the system file, WIN.INI, to automatically execute during Windows startup. The modified [windows] section of WIN.INI appears as follows:

run=�C:\WINDOWS\microsoft420.exe

It also drops a MICROSOFT420.INI file in the Windows folder.

Propagation

This worm uses AOL6 to send out copies of itself as an attachment in an email with the following details:

Subject: Fwd: This is some NASTY stuff! =)
Message Body: I have never seen something this nasty! You have to see it for yourself�
Attachment: MICROSOFT420.EXE

Stealing AOL Passwords

Aside from sending email, this worm steals AOL passwords and then sends these to its author at the email address, sofunnie@hotmail.com.

Other Details

This worm contains the following text strings:

SOFUNNY AOL PWS for version 4, 5, & 6. Now a Worm too! By Menace.


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 1.208.00

Pattern release date: Jan 25, 2002


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup. This is also an effective malware process termination procedure.

  1. Open Registry Editor. Click Start>Run, type REGEDIT then hit the enter key.
  2. In the left panel, double click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    microsoft420
  4. Close Registry Editor.

Removing Autostart Entries from System Files

A malware may modify system files so that it to automatically executes at every Windows startup. These startup entries must be removed before the system can be restarted safely.

  1. Open System Configuration Editor. Click Start>Run, type SYSEDIT then hit the Enter key.
  2. In System Configuration Editor, select the Win.ini window.
  3. Under the [windows] section, locate and delete the strings after the following lines. The strings should be the path and filename of the malware file:
    run =
  4. From the same line, delete the malware path and filename:
    C:\%Windows%\microsoft420.exe
  5. Close System Configuration Editor and click Yes when prompted to save.

Deleting Dropped Malware Files

Delete the file, MICROSOFT420.INI in the Windows directory, which is ususally at C:\Windows or C:\WinNT.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_MENACE.B. To do this, Trend customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free, online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.