Trojan.Win32.Menace

Class Trojan
Platform Win32
Description

Technical Details

This is a virus-worm that spreads via the Internet by using AOL client. The worm
itself is a Win32 application (PE EXE file) about 86K in size, and is written in
VisualBasic 6.0.

The worm arrives as a SOFUNNY.EXE file attached to an e-mail message that has one of
two Subjects and the same Body:

Subject1: Fwd: This is great! =)
Subject2: Fwd: This is hilarious! =)
Body: You guys have to download this! This really is funny!

To spread, the worm waits until AOL client is active, manipulates the AOL
functions, gains access to in-box e-mails, and replies to them with an infected
messages (note: this has not tested in the Lab).

The worm also has password-stealing ability, and sends AOL-login
and passwords from infected computers to its host.

When the worm is run (from infected message), it displays a fake error message:

Fatal Error #6834
An unknown error has occurred.

The worm then copies itself to the Windows directory exactly as follows:

C:WINDOWSmsdos423.exe
C:WINDOWSSOFUNNY.exe

One of these files is then registered in the auto-run registry key:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
msdos423 = c:windowsmsdos423.exe

The worm also creates an additional file, C:WINDOWSmsdos423.ini, and stores itself in there, for example:

[Setup]
Copied = True
Sent = True
Uploaded = True

The worm also contains the “copyright” text strings:

AOL PWS for version 4, 5, & 6. Now a worm too! By Menace