FRISK Software International


Summary of VBS/TonFun.A
Length: 1647 bytes
Discovered: 17 Mar 2003
Definition files: 20 Mar 2003
Risk Level: Low
Distribution:Low
Payload: Depending on certain factors, this trojan tries to inject an automatic "format c:" command into autoexec.bat, which can lead to data loss.
 
Jump to:
Brief description
Technical description

Brief Description
The VBS/TonFun.A is a trojan written in VisualBasic script, targetting Y!Tunnel/Y!Tunnel Pro users.

Y!Tunnel is a free add-on for Yahoo! Messenger aiming to protect Messenger users from abusive and malicious chatroom activity.

VBS/TonFun.A can distribute itself through file-sharing programs, such as Kazaa, Kazaa Lite and Grokster, by placing a copy of itself in the shared folders used by those programs under the name of "Ytunnel Pro Crack" with the double extension of .exe.vbs


Technical Description
The first thing this trojan does, is to check wether any of the following directories exists:

"C:\Program Files\Kazaa\My Shared Folder"
"C:\Program Files\KaZaA Lite\My Shared Folder"
"C:\Program Files\Grokster\My Grokster"

If any of these directories exist, the trojan copies itself there, under the name of "Ytunnel Pro Crack.exe.vbs". The then trojan tries to determine if the Y!Tunnel/Y!Tunnel Pro software is present on the users computer. Y!Tunnel is a free add-on for Yahoo! Messenger aiming to protect Messenger users from abusive and malicious chatroom activity. If that software is installed under any of the following locations:

"C:\Program Files\Y!Tunnel"
"C:\Program Files\Y!TunnelPro SP1"
"C:\Program Files\Y!TunnelPro SP2"

the trojan tries sends an "echo request" ICMP message of a certain size using the ping.exe command for an unlimited amount of time, thus potentially trying to perform a DOS attack against the website of the makers of Y!Tunnel software.

However, due to a coding error, this part will fail to function.

The trojan also adds depending on the conditions mentioned above, an automatic "format c:" instruction into Autoexec.bat if it exists on the c: drive.


Analysis/Description: Sindri Bjarnason, Virus-analyst FRISK Software Viruslab
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is