Troj/Funot-A is a Trojan for the Windows platform that includes the functionality to
replace existing files using the original filenames with the text file, rename existing files using names constructed from a predefined list, create text files, and to access the internet and communicate with a remote server via HTTP.
Troj/Funot-A is a Trojan for the Windows platform that includes the following functionality:
-replaces existing files with a text file that contains the following message:
"Fun X27 .::@li-RNo.H.::.VasVase"
-renames existing files using names constructed from a predefined list similar to the following:
3k30
Baby Names hot
activex IT
amizesh.co
bank iran
bandar golpa
bbc
card
boot
carpet iran
...
-creates text files that contain the following message:
"Fun X27 .::@li-RNo.H.::.VasVase"
using names contructed from a predefined list similar to the following:
Vigen es.scf
bank.scf
business
com stories depot
farsi.scf
font
helper windows hedyeh
india islam iran.scf
iran information.scf
iran poem
iran sex
iran sites boobs
iran.scf
iraniansexyax iraniansexyaks
...
-attempts to access the internet and communicate with a remote server via HTTP
When first run Troj/Funot-A copies itself to the current folder with filenames similar to the following:
High hack rape.EXE
bank.exe
farsi sex Ebi.EXE
farsi.exe
ir3x.com salamiran word.EXE
iran picture iran666.EXE
where names of the copies may vary and are constructed from predefined lists.
In order to be able to run automatically at startup Troj/Funot-A sets a number of registry entries to the following:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<number>
<filename>
where <number> may vary and <filename> is one of the names of the Trojan copies.
Also Troj/Funot-A creates the file VASVASe.HTML in the current folder, containing the following message:
.\VASVASe.\
No Worm ; No Spy ; No Trojan ; This is Fun X27
http://www.vasvase27.blogfa.com