Kaspersky Threats — FunnyPics

Class

Platform

Description

Technical Details

This virus spreads via the Internet as an attachment to infected messages. The worm itself is a Windows PE EXE file 14136 bytes in size.

Installation

The worm copies itself to the Windows root directory as brsh32.exe:

%WinDir%brsh32.exe

It then registers this file in the Windows system registry as a new service. This ensures that the worm will be launched each time Windows is rebooted on the victim machine:

[HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices]
 "brsh32Service"="%WinDir%brsh32.exe -q"

The worm will:

spread via email
make remote administration of the victim machine possible via a backdoor

The worm sends itself to email addresses harvested from the victim machine.

When sending infected messages, the worm establishes a direct connection to the recipient’s SMTP server.

Email Subject

The message subject is chosen at random from the list below:

are you ready to enjoy?
do you wanna laugh out?
Download funny pics for free!
download screensavers for free!
Free pics and screensavers
free screensaver
funny pics is online again!
funnypics special offer
huff OUT!
humor OnLine
hunk of fun!
Listen to Dr.Fun
pics & screensavers
ready? steady? laugh!
Save your screen!
what you wanna see?

Email Contents

The message body does not change, and is as follows:

Funny Pics Inc. strikes back with more free stuff.Visit our new website with lots of funny pics and new screensavers like this! www.funnypics.com

Attachment

The worm sends a copy of itself in the following attachment: %windir%brsh32.exe. However, it disguises this file as a picture from www.funnypics.com.

The attachment name is chosen at random from the list below:

billBates.scr
bzzz.scr
funnyPic.scr
intelAside.scr
kennyIsAlive.scr
mac0s.scr
matrix-SP.scr
mrBrown.scr
nastyPokemon.scr
paradise.scr
phantomMenaze.scr
southPark.scr
SouthParkOuttaSpace.scr
starWarz.scr
waaazUp.scr
x-filez.scr

Payload

The worm will open a TCP port between 8000 and 8255 (chosen at random) and will listen for commands.

This provides a remote malicious user with full access to the victim machine, making it possible to get information from the victim machine, download, launch and delete files.

Removal instructions

Delete the following registry key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices]
“brsh32Service”=”%WinDir%brsh32.exe -q”
Using Task Manager, stop the process called brsh32.exe.
Delete the following file: %WinDir%brsh32.exe.
Perform a full scan of your computer (download trial version of Kaspersky Anti-Virus).

Class	Email-Worm
Platform	Win32
Description	Technical Details This virus spreads via the Internet as an attachment to infected messages. The worm itself is a Windows PE EXE file 14136 bytes in size. Installation The worm copies itself to the Windows root directory as brsh32.exe: %WinDir%brsh32.exe It then registers this file in the Windows system registry as a new service. This ensures that the worm will be launched each time Windows is rebooted on the victim machine: [HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices] "brsh32Service"="%WinDir%brsh32.exe -q" The worm will: spread via email make remote administration of the victim machine possible via a backdoor The worm sends itself to email addresses harvested from the victim machine. When sending infected messages, the worm establishes a direct connection to the recipient’s SMTP server. Email Subject The message subject is chosen at random from the list below: are you ready to enjoy? do you wanna laugh out? Download funny pics for free! download screensavers for free! Free pics and screensavers free screensaver funny pics is online again! funnypics special offer huff OUT! humor OnLine hunk of fun! Listen to Dr.Fun pics & screensavers ready? steady? laugh! Save your screen! what you wanna see? Email Contents The message body does not change, and is as follows: Funny Pics Inc. strikes back with more free stuff.Visit our new website with lots of funny pics and new screensavers like this! www.funnypics.com Attachment The worm sends a copy of itself in the following attachment: %windir%brsh32.exe. However, it disguises this file as a picture from www.funnypics.com. The attachment name is chosen at random from the list below: billBates.scr bzzz.scr funnyPic.scr intelAside.scr kennyIsAlive.scr mac0s.scr matrix-SP.scr mrBrown.scr nastyPokemon.scr paradise.scr phantomMenaze.scr southPark.scr SouthParkOuttaSpace.scr starWarz.scr waaazUp.scr x-filez.scr Payload The worm will open a TCP port between 8000 and 8255 (chosen at random) and will listen for commands. This provides a remote malicious user with full access to the victim machine, making it possible to get information from the victim machine, download, launch and delete files. Removal instructions Delete the following registry key: [HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices] “brsh32Service”=”%WinDir%brsh32.exe -q” Using Task Manager, stop the process called brsh32.exe. Delete the following file: %WinDir%brsh32.exe. Perform a full scan of your computer (download trial version of Kaspersky Anti-Virus).

Email-Worm.Win32.FunnyPics